A stricter regime for profiling07 June 2016
European Parliament Committee Releases Proposed Amendments to Data Protection Regulation
Jan Albrecht, the rapporteur for the European Parliament's Committee on Civil Liberties, Justice and Home Affairs, released a draft report last month with key proposals to amend the European Commission's proposed Regulation on data protection. The report includes a total of 350 amendments to the original proposal. Highlights of the 215-page report include the following:
- "Legitimate interest" justification: Previously, the Commission's proposal contained language similar to the existing Directive, which permitted processing to occur based on the "legitimate interests" pursued by the data controller, provided that those interests are not overridden by concerns regarding the fundamental rights of data subjects. The legitimate interest justification for processing has become increasingly important as data protection authorities tightened conditions on the validity of consent as a basis for processing. In cases where consent is ambiguous, data controllers often rely on the legitimate interest justification as a back-up. The amendments proposed by the European Parliament would make the legitimate interest justification more difficult to use than was previously the case under the Commission's wording. Among other things, the data controller would be obligated to publish the reasons for believing that its legitimate interests override the fundamental rights of the data subject. The proposed amendments also include a list of cases where the legitimate interest of data controllers would be deemed to override the fundamental rights of data subjects, and conversely, cases where the fundamental rights of data subjects will be deemed to override the legitimate interests of the data controller.
- Jurisdictional reach: The original proposal would have extended the Regulation's jurisdiction to include all data processing activities "related to" either the offering of goods or services to data subjects in the EU, or monitoring of data subjects' behavior. The amendments propose to change the jurisdictional reach to data processing "aimed at" (rather than "related to") those two activities. Additionally, the amendments include explicit language that the offering of goods or services applies whether or not payment is required for those goods/services. And the proposed amendments would broaden the monitoring prong by removing the "behavior" element, instead extending jurisdiction to all monitoring of data subjects in the EU.
- Pseudonymous data: The European Parliament amendments propose to include incentives for data controllers to use pseudonymous data. The modification would allow lighter consent obligations when only pseudonymous data is involved. The report cites section 15 of the German Tele-Media Law as an example that the Regulation should follow.
- Non-EU judicial and administrative access: The amendments include a requirement that the data controller seek approval of the relevant data protection authority before disclosing data in response to a court or other legal order issued by a third country. This measure appears to encompass all judicial and administrative actions resulting in an order, including situations involving law enforcement access to data stored in the cloud.
- Right to be forgotten: The right to be forgotten has been modified such that data controllers would no longer have to take reasonable steps to contact third parties to request them to erase copies of data if the initial publication of the data by the data controller was conducted with the data subject's consent or based on another justification under Article 6(1) of the Regulation. The report explains: "if a publication of personal data took place based on legal grounds as referred to an Article 6(1), a 'right to be forgotten' is neither realistic nor legitimate."
- Profiling: The proposed amendments would strengthen data subject's rights in connection with profiling. The report proposes that profiling be permitted only with the data subject's consent or based on an express statutory provision.
- Documentation requirements: The proposed amendments would ease some of the burdens on data controllers to prepare documentation regarding their processing operations. Data controllers would only need to prepare one set of documentation, containing the information that must be disclosed to data subjects under Article 14 of the draft Regulation.
- Small business exception: The report proposes modifying the small business exception in several places by replacing the current criterion of 250 employees with a criterion based on the number of data subjects whose data are being processed. Under the proposed amendments, an enterprise processing personal data relating to fewer than 500 data subjects per year would benefit from simplification measures under the Regulation.
- Adequacy for "processing sectors": The proposed amendments would remove the European Commission's ability to reach an adequacy decision with regard to certain processing sectors in a third country. This would prevent the Commission from determining that processing sectors such as the healthcare industry in the United States provide adequate protection based on sector-specific privacy regulation.
- Single Responsible DPA: The report proposes to dilute the principle that a single data protection authority, located in the Member State of the data controller's main establishment, would be responsible for compliance issues throughout the EU. The proposed amendment would state that each supervisory authority shall be competent to supervise all data processing operations on the territory of its own Member State, or where the personal data of residence of that Member State are processed. For cross-border issues, a single data protection authority would have lead responsibility vis-à-vis the data controller, and would act as the single point of contact. In cases where determining a single lead authority proves difficult, the European Data Protection Board would make a determination as to which supervisory authority is the lead.
- Consistency mechanism: The report replaces the original proposal's consistency mechanism by creating an alternative consistency mechanism based on the lead responsible authority principle discussed above. The proposed amendments would maintain consistency by requiring the lead authority to "ensure coordination" and "take the utmost account of the opinions of the [other] authorities involved" during supervisory proceedings. If another involved authority disagrees with the lead authority, then the issue goes to the European Data Protection Board to weigh in. The proposed amendments cover many other details of how the alternative consistency mechanism would function, including a review process ultimately culminating in the ability of the Commission to weigh in on the matter.
- Sanctions: The report does not propose to modify the maximum sanctions provided for in the Commission's draft. However, the amendments include new sanction guidelines that would affect the level of sanction to be applied. Sanctioning criteria include whether the data controller put into effect accountability measures, and whether the data controller actively cooperated with data protection authorities to remedy the infringement and mitigate possible adverse effects.
- Breach notification requirements: The report suggests adjusting the original proposal's 24-hour reporting requirement in the case of a data breach to 72 hours (although the report includes this adjustment only in an amendment to the recitals, but not the relevant article of the Regulation). The amendments include additional language aimed at preventing notification fatigue by giving examples of when a breach is likely to require notification to the affected data subject. And the amendments include an additional requirement that the supervisory authority maintain a public listing of the types of breaches occurring in order to educate the public.
- Expiration for Safe Harbor agreements and model contractual clauses: The report amends the proposed Regulation with respect to third country transfers based on Safe Harbor agreements or model contractual clauses. The amendment includes new language that such arrangements will remain in force only two years after the Regulation takes effect, whereas the original proposal would have left such arrangements in effect "until amended, replaced or repealed by the Commission."
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016