Currently, the Data Protection Directive (EU) from 1995 regulates the protection of personal data on the Internet. It regulates the processing of personal data, which covers data collection, processing and transfer.
Every Member State of the European Union has brought the 1995 directive into its national law by passing new laws. In France, this was done in 2004 through reform of our law on Informatics and Civil liberties, which regulates since 1978 the use of natural person's personal data. The directive created a supervisory authority in each State, charged with enforcing the rules in government bureaus and in enterprises. In France that Data Protection Authority (DPA) is the CNIL (the National Commission on Informatics and Civil Liberties), in existence since 1978, which takes responsibility for these missions. While this directive is a definite advance in the protection of personal data, it is not exempt from faults. Thus, all of its provisions have not been identically enacted from one member State to another, while other rules have not been defined precisely enough. As a result, today the protection of personal data knows some significant shortcomings.
The new Rule under discussion since 2012 aims to correct a certain number of these shortcomings and to adapt the protection of personal data to the expansion of collecting and treating personal data.
La Quadrature du Net has worked out these propositions to guarantee citizens control over their personal data, and their proper use.
Guarantee the user's informed consent
- The user must consent to the use of their personal data when these are going to be used;
- Their consent must be specific, informed and explicit, given freely in a clear and affirmative way, signifying agreement for personal data to be used;
- The user's consent may not be misused to ends other than those for which it was originally given.
Prohibition of profiling
Profiling is a computerized method of using information which uses procedures of "data mining" on collections of data, which - with a certain probability and a certain level of error - permits classifying an individual in a particular category in order to make decisions with respect to him or her individually.
The collection of data comprises messages transmitted on the web as well as videos and websites visited by all users, which are analysed by the Internet giants and by companies whose purpose is to sell advertising targeted toward these profiles.
The user must see written in the Rule the right to refuse to be profiled, and this right must be concretely applicable to normal activities.
Guaranteeing the right to data portability
When a user wishes to transfer their data from one service to another, quit a service or develop another service, they currently don't always have the possibility to obtain their data to transfer it.
The right to the portability of data must be written into law, and this portability must be effective; that is to say that both the export formats and the data must be in open formats, the services interoperable, and the portability must not be subject to any payment whatsoever.
Clarification of the concept of legitimate interest
The current version of the European Rule on the protection of data gives to enterprises which collect and process personal data the right to go beyond the original aim of collecting it that the user has accepted when these enterprises have a "legitimate interest" in so doing.
The concept of "legitimate interest" has no legal definition. This concept poses a problem because it permits enterprises and public authorities to continue to process personal data without the user's consent, with no absolutely necessary reason for the processing and with no legal obligations, if they consider that they have a legitimate interest more important than that of the person affected. This therefore makes it a real perversion of the rule of prior consent.
Legitimate interest can be broadly interpreted. In this way the simple fact that a user is an enterprise's client is enough to confer on it a legitimate interest to carry out processing the user's data.
Thus La Quadrature du Net suggests to:
- Define and delimit the concept of "legitimate interest";
- Forbid using "legitimate interest" except as a last resort, when there is no legal basis, and that this recourse must be supported and communicated from the enterprise or public agency.
Limit the "pseudonymization of data" and promote anonymization
"Anonymized" data are data from which it is impossible to isolate and to identify an individual. Anonymity is thus respected fully. "Pseudonymized" data, in contrast, can be connected to individuals by means of links between the pseudonym and identifying data (family name, forename, address...) available to the organization collecting the information. Thus it is extremely easy to identify an individual using relatively little data.
Thus, pseudonymization does not adequately protect users, who can still be identified easily. Unfortunately it is too often presented by enterprises as enough protection, and risks being authorized by the Rule, to the citizens' detriment.
Thus La Quadrature du Net proposes to:
- Favour using anonymized data to better preserve users' identities, and to inform them of the "risks" of being identified with pseudonymized data;
- Demand the users' consent to use all types of personal data, whether anonymized or pseudonymized.
End the "Safe Harbor" agreement
"Safe Harbor" is an agreement which permits American enterprises operating in Europe to transfer the data of European citizens to the USA and to exploit them for profit. In return, the enterprise is required to respect European law, more protective than American law in data protection matters. For example, transferring data is only possible if the individual has the freedom to prevent it.
This agreement comprises numerous shortcomings dangerous for data protection and for users. This is why the European Parliament called for renegotiating it in 2014.
"Safe Harbor" provides only a mechanism of self-certification, not a real controlling authority to verify adherence to the agreement. In the same vein, recourse is very limited for European citizens, because it is more difficult for them to engage an American judicial or administrative authority than for American residents.
An even more serious problem concerns the policies and confidentiality of "Safe Harbor" enterprises, and access to the data by third parties. Edward Snowden's revelations have shone a light on the how the American public authorities collect and process data transferred in the framework of the Safe Harbor.
Thus La Quadrature du Net proposes to:
- Create a genuine independent oversight authority to verify adherence to international agreements;
- Facilitate a procedure of recourse for European citizens concerning foreign enterprises;
- Limit access to and processing of data by limiting it solely to enterprises that adhere to the agreement.