Data protection issues

This page aims to list and analyse the different key provisions of the European Commission's Proposal for a General Data Protection Regulation and related amendments proposed by the IMCO, ITRE, JURI and LIBE committees.

You can find all the relevant documents on this subject here.

=Scope of the Regulation=

Material scope
=Consent & exceptions=

Article 29 Working Party position
Opinion (2011) of the Article 29 Data Protection Working Party on the Definition of Consent:

''This Opinion is partly issued in response to a request from the Commission in the context of the ongoing review of the Data Protection Directive. It therefore contains recommendations for consideration in the review. Those recommendations include:''
 * (i) clarifying the meaning of “unambiguous” consent and explaining that only consent that is based on statements or actions to signify agreement constitutes valid consent;
 * (ii) requiring data controllers to put in place mechanisms to demonstrate consent (within a general accountability obligation);
 * (iii) adding an explicit requirement regarding the quality and accessibility of the information forming the basis for consent, and
 * (iv) a number of suggestions regarding minors and others lacking legal capacity.

''The notion of unambiguous consent is helpful for setting up a system that is not overly rigid but provides strong protection. While it has the potential to lead to a reasonable system, unfortunately, its meaning is often misunderstood or simply ignored.''

''Clarification should aim at emphasizing that unambiguous consent requires the use of mechanisms that leave no doubt of the data subject’s intention to consent. At the same time it should be made clear that the use of default options which the data subject is required to modify in order to reject the processing (consent based on silence) does not in itself constitute unambiguous consent. This is especially true in the on-line environment.''

''The Council Common Position10 in 1995 introduced the final (today's) definition of consent. It was defined as "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed". The main change from the 1992 Commission position involved deleting the word "express" that had preceded the word "indication". At the same time, the word "unambiguous" was added to Article 7(a), so it reads as follows: "if the data subject has given his consent unambiguously".''

LIBE members
Seven amendments have been submited by seventeen members of LIBE, proposing to withdraw the requirement for an explicit consent (amendments 757, 758, 760, 762, 764, 765 & 766). Those seventeen MEPs are:


 * Lidia Joanna Geringer de Oedenberg (S&D - Poland)


 * Adina-Ioana Vălean (ALDE - Romania)
 * Jens Rohde (ALDE - Denmark)
 * Louis Michel (ALDE - Belgium)
 * Sarah Ludford (ALDE - United Kingdom)


 * Charles Tannock (ECR - United Kingdom)
 * Timothy Kirkhope (ECR - United Kingdom)


 * Axel Voss (EPP - Germany)
 * Seán Kelly (EPP - Ireland)
 * Wim van de Camp (EPP - Netherlands)
 * Hubert Pirker (EPP - Austria)
 * Monika Hohlmeier (EPP - Germany)
 * Georgios Papanikolaou (EPP - Greece)
 * Véronique Mathieu Houillon (EPP - France)
 * Anna Maria Corazza Bildt (EPP - Sweden)
 * Agustín Díaz de Mera García Consuegra (EPP - Spain)
 * Teresa Jiménez-Becerril Barrio (EPP - Spain)

IT Giants' recomandations to MEPs

 * Google (February 2012 document): 'a default expectation of explicit consent [...] creates uncertainty and significant burdens for organizations [and] a very real risk that by complying with the new Regulations data controllers will undermine consumer confidence and disempower the citizens' ; 'consent understood as a form of user control can be valid in different ways.' 


 * Facebook (March 2012 document): '[the requirement of explicit consent] carries the risk of inundating users with tick boxes and warnings and may result in an overly disrupted or disjointed internet experience. This will inevitably lead to a potential ‘devaluation’ of the principle, and may make it harder for users to make judgments about when it is appropriate to give consent or withhold it. [...] Unambiguous consent should be a valid means of legitimizing data processing. [...] We are seeing great innovation (including granular and sophisticated control tools) from many players in the market to empower users to understand how their information is used and how services work when they choose to share information online. [...] These practices must not be hampered by over- prescriptive and often meaningless consent requirements. [...] The controller is in the best position to decide the appropriate level of information to provide individuals about specific processing activities. The information to be provided for the purposes of obtaining the data subject's consent may be determined by the data controller.' 


 * Microsoft (February 2012 document): 'There is currently a wide range of mechanisms that effectively enable users to control and consent to collection and use of their information depending on the circumstances involved – including some opt-out technologies that provide stronger protection for consumer privacy than some opt-in mechanisms. For example, an opt-out mechanism that provides complete information on how personal data will be used is more protective of consumer privacy than an opt-in mechanism that does not provide complete information. [...] Equally important, by requiring users to opt in to every use of their data, the Regulation will potentially require internet users to opt in dozens of times, if not more, during a single web surfing session or mobile internet use. Yet consumers demand internet services that are fast, easy-to-use and efficient. Onerous and static opt-in mechanisms instituted by controllers anxious to be in unambiguous compliance with an ambiguous requirement will frustrate many users – and ultimately may lead users to opt in as a matter of routine, even in cases where their privacy would be better served by opting out.' 


 * Amazon (Novembre 2012 document): 'Requiring ‘explicit’ consent as the norm for every data use scenario, irrespective of the context of data processing and the privacy risks for data subjects, is overly formalistic and rigid. It risks inhibiting legitimate and innovative business practices in the off- and online environment and impacting user experience and expectations without adding anything to users’ data protection. Consent as a means to gain user acceptance and protect fundamental rights may be devaluated as a consequence of consumers being overloaded with consent requests, making it difficult for them to understand the privacy impact of different data processing operations' 


 * eBay (November 2012 document): 'eBay believes that requiring explicit consent in every situation where consent forms the legal basis for processing personal data is too strict and creates an unnecessary obstacle to online and mobile business models. [..] Therefore, eBay proposes a context-based approach to consent to avoid ‘click-fatigue’ amongst consumers and to improve their user experience.' 

Purpose limitation
IMCO and JURI's amendments propose to extend the five narrow exceptions allowing data to be further processed for a new purpose to the broad and dangerously vague one of legitimate interest.

Legitimate Interest
Unlike the Directive, the Proposal for a Regulation only refers to the legitimate interest pursued "by a controler", and not to the one pursued "by the controller or by the third party or parties to whom the data are disclosed".

At first sight, the exception set by the Proposal seems narrower. But the Commission clearly explained to Member States representatives that its scope is actually unchanged (Council of the EU, July 2012):'' "In response to questions posed by [Cyrpus] and other [Member States] regarding the rational for the omission of a third party’s legitimate interest as legal basis for the disclosure of data, the [Commission] explained, as we have understood, that upon the receipt of the data the third party becomes “another” controller and thus it is no longer necessary to refer to third parties." (Cyprus) ; "As we understand the explanations given by the Commission ’a controller’ is supposed to include both the controller and the third party, given that the third party is also a controller." (Sweden). ''

The Proposal defines a "controller" as "the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data [...]" (article 4.e), this "processing" meaning "any operation or set of operations which is performed upon personal data [...] such as collection, [...] storage, [...] consultation, use, disclosure by transmission [...];" (article 4.c). Thus, anyone consulting or using personal data is a controller. And the "legitimate interest" exception, as it is defined in the Proposal, would allow companies to process personal data without data subject's consent if those data are intended to be disclosed to anyone willing to consult or use those data and having a legitimate interest to do so.

Eva Lichtenberger's justification against "legitimate interest"
''As drafted, this provision could offer controllers a way to avoid many restrictions, since experience suggests that few data subjects will test reliance on this ground in court. Moreover, the broadness of the term creates legal uncertainty. This is also likely to lead to divergences in practice between Member States and therefore fail to achieve harmonisation. Points (a) to (e) already offer ample grounds for lawfulness, so "legitimate interest" should be removed as a ground for processing. The vagueness of the term "legitimate interests" would encourage controllers to try to cover as much processing as possible under this ground, even though it could be covered under other grounds, notably consent, as well. This in turn would make it harder for data subjects to enforce their rights – while consent can easily be revoked, objecting to processing based on "legitimate interest" requires more effort on part of the data subject. Having such an ill-defined term be one of the grounds for lawfulness could also contribute to legal uncertainty, as it is quite likely that interpretations by supervisory authorities and courts will differ between Member States.''

LIBE members
Seven amendments have been submited by seventeen members of LIBE, proposing to extend the 'legitimate interest' of the controller to the one of third parties (amendments 873, 874, 878, 880, 882, 883 & 884). Those seventeen MEPs are:


 * Alexander Alvaro (ALDE - Germany)
 * Nadja Hirsch (ALDE - Germany)
 * Adina-Ioana Vălean (ALDE - Romania)
 * Jens Rohde (ALDE - Denmark)
 * Louis Michel (ALDE - Belgium)


 * Axel Voss (EPP - Germany)
 * Seán Kelly (EPP - Ireland)
 * Wim van de Camp (EPP - Netherlands)
 * Véronique Mathieu Houillon (EPP - France)
 * Monika Hohlmeier (EPP - Germany)
 * Lara Comi (EPP - Italy)
 * Hubert Pirker (EPP - Austria)
 * Renate Sommer (EPP - Germany)
 * Agustín Díaz de Mera García Consuegra (EPP - Spain)
 * Teresa Jiménez-Becerril Barrio (EPP - Spain)
 * Salvatore Iacolino (EPP - Italy)
 * Edwal Stadler (NI - Austria)

IT Giants and banks' recomandations to MEPs

 * Google (February 2012 document): 'We do note that consent is only one of several ways that the Regulation allows for the legitimate processing of personal data. Compared with the current legislative framework, however, consent has been prioritized against the ‘legitimate interests’ rule, which has heretofore controllers to process information if it does so for legitimate business interests and insofar as the processing does not affect the data subjects’ fundamental rights to privacy. Maintaining the viability of the ‘legitimate interests’ rule is important because it leaves room for organizations to process information outside explicit consent through enhanced transparency and user control.' 


 * eBay (November 2012 document):


 * European Banking Federation (November 2012 document):


 * Eurofinas (December 2012 document):


 * Eurocommerce (September 2012 document): 'Some businesses collect data on other businesses which is to a large extent personal data. This holds true, for example, if the information includes data on individual owners or the management of businesses. Such data collection and processing requires a legal justification and today, such justification is provided by the so-called “balance of interest clause” in Article 7 (f) of the current Directive as implemented in national laws. For example, credit information services collect data solely in the legitimate interest of third parties to whom the data are disclosed (their customers), except where such interests are overridden by the interests or fundamental rights and freedoms of the data subjects. Credit reporting agencies do not have a contractual relationship to the person on whom they collect data. Much like the directory industry, the business of credit reporting agencies is based on the interests of the recipients of the collected data, i.e. on the interest of third parties. The Proposal does not enable credit information services to rely on third party legitimate interests which are vital since it is in the benefit of their customers to receive information about the financial performance of their business partners. Without this, credit information services would only be able to rely on the legitimate interest which might not be sufficient to justify the data collection that is vital to perform their business. They would be unable to rely on other legal justifications such as consent as it would be impossible for them to collect the necessary consent declarations from all individuals involved. There is no clear justification to propose this major change to the balance of interest clause. Deleting the interests of third parties to whom the data are disclosed does not make the balance of interest clause more modern, flexible or business-friendly.' 


 * ACCIS (Association of Consumer Credit Information Suppliers - December 2012 document): 'The lawfulness of processing based on the legitimate interest must be extended to legitimate interests pursued by third parties to whom the data are disclosed by a controller. To exclude this provision might compromise an essential principle of legitimacy that is very important in the market. It would be contradictory to admit this principle with reference to the controller itself but not with reference to another party (the second controller) receiving data from the former. The result would be to exclude the possibility for data suppliers to supply on a legitimate basis data to final users of such data even if the legitimate interest is recognized and justified. The limitation is not reasonable and only has the effect to limit the market without providing greater protection for data subjects. ' 

Pseudonymous Data
=Profiling=

Eva Lichtenberger's justification against profiling
Amendment 112 proposed in JURI

''Profiling can entail serious risks for data subjects. It is prone to reinforcing discriminations, making decisions less transparent and carries an unavoidable risk of wrong decisions. For these reasons, it should be tightly regulated: its use should be clearly limited, and in those cases where it can be used, there should be safeguards against discrimination and data subjects should be able to receive clear and meaningful information on the logic of the profiling and its consequences. While some circles see profiling as a panacea for many problems, it should be noted that there is a significant body of research addressing its limitations. Notably, profiling tends to be useless for very rare characteristics, due to the risk of false positives. Also, profiles can be hard or impossible to verify. Profiles are based on complex and dynamic algorithms that evolve constantly and that are hard to explain to data subjects. Often, these algorithms qualify as commercial secrets and will not be easily provided to data subjects. However, when natural persons are subject to profiling, they should be entitled to information about the logic used in the measure, as well as an explanation of the final decision if human intervention has been obtained. This helps to reduce intransparency, which could undermine trust in data processing and may lead to loss or trust in especially online services. There is also a serious risk of unreliable and (in effect) discriminatory profiles being widely used, in matters of real importance to individuals and groups, which is the motivation behind several suggested changes in this Article that aim to improve the protection of data subjects against discrimination. In relation to this, the use of sensitive data in generating profiles should also be restricted.''

=Data Breach=

=Transfer to third countries=

=Sanctions=

=Data subjects' rights=

=Complaints=