Amendments to European DP Regulation

11 January 2013

Ruth Boardman, Ariane Mole, Fabian Niemann

Jan Philipp Albrecht, a Rapporteur for the European Parliament, released his new report on the proposed European Data Protection Regulation, which will replace the current Data Protection framework within the European Union. The 215 pages report, containing 350 proposed amendments to be discussed now in plenary session by the European Parliament, aims to strengthen individual’s rights and therefore imposes additional obligations on companies. The report also assigns a greater role to the European Data Protection Board, which is entrusted with taking legally binding decisions at European level.

The main new outcomes are the following:

Privacy by Design: Newly introduced obligations on manufacturers of hardware and software. The Rapporteur introduces a new definition of the “producer”, to impose requirements on “persons or bodies which create automated data processing or filing systems to be used by data controllers or data processors”. Automated data processing systems is widely defined as hard- and software.  should also take into account the principle of privacy by design and by default Notably, the producer will need to comply with privacy by design and privacy by default requirements, even if they do not process personal data themselves. In the Commission’s draft, such requirements only apply to the controller, whereas the Rapporteur extends such requirements also to the processor and the producer. The Rappoteur states that “This is especially relevant for widely used standard applications, but also should be respected for niche products." If this amendment is voted by the European Parliament, data protection becomes relevant for all hardware and software manufacturers when designing their products.

A More Limited “One-Stop-Shop”: the report supports as a principle, the European Commission’s proposal for a lead Data Protection Authority for companies established in more than one European Member State. However, an alternative mechanism is proposed, which relies on closer cooperation between authorities: the lead authority becomes “a single contact point” for the controller or processor, rather than the competent authority for supervising processing activities as provided in the Commission’s text. The lead Authority shall ensure coordination with all other DP Authorities involved, and consult with the other Authorities before adopting a measure. Each DP Authority remains competent to supervise processing operations within its territory or affecting data subjects resident in its territory. In the event of a disagreement on which is the competent lead DP Authority – i.e. on which is the country of main establishment -, this will be dealt with by the European Data Protection Board. 

A Mandatory Data Protection Officer for Each Company: the Commission’s draft provided for an obligation to designate a data protection officer for each controller or processor employing 250 persons or more. Such provisions were deleted by the Rapporteur, and the amended text provides that any legal person processing data relating to “more than 500 data subjects per year” will need to appoint a DP officer! As such criteria will obviously be met by every company, as a result appointing a data protection officer will become mandatory for each legal person; only entities without the form of a legal person (e.g. individuals providing professional services) would therefore be exonerated from such requirement. 
 
Limitations to the “Legitimate Interest” provision and to the possibility for companies to process personal data without consent: The amendments provide for stricter rules governing the lawfulness of processing. Consent becomes the key criteria for processing personal data, consequently shrinking the possibility for companies to process data without consent. The Rapporteur made a list of cases where the interests of the controller cannot be used as a legitimate basis, for instance for the processing of sensitive data, of location data and biometric data, or in the context of profiling, and when the data subject is a child. In addition, the legitimate interests of the controller cannot be used “if the processing causes a serious risk of damage to the data subject” or “may adversely affect the data subject”: depending on their interpretation, such criteria may considerably extend the scope of the prohibition. As a result, the possibility for the controller to collect and further process personal data for the purposes of its legitimate interests (i.e. according to the so called “balance of interests”) is particularly reduced. One implication is that much direct marketing would only be possible based on prior consent.The Rapporteur also made a limited list of cases where the legitimate interests of the controller may always be used as a legal basis. In all other cases, the controller will need to inform data subjects of its reasons for believing that its interests override the interests of the data subjects (see below).
 
Protection Extended for Online Data: the Regulation had specifically noted that certain categories of online data may be personal - location data and online identifiers such as IP addresses and cookie identifiers are singled out for special mention.  The Rapporteur now suggests that such data should always be personal, unless it can be shown that the identifiers do not relate to natural persons (eg IP addresses allocable to corporates).  

A Drastic Increase of Information Notice Requirements, but Multi Layered Notices are possible: The Rapporteur proposes to merge information and documentation requirements considered as “essentially being the two sides of the same coin”. Notice to data subjects would thus also include:

- Information on joint-controllers,
- Categories of personal data collected and processed,
- The reasons for believing that its legitimate interests  override the interests of fundamental rights of the data  subjects (in cases not already listed by the Regulation as allowing the legitimate interests to be used as a legal basis),
- The list of recipients (not only the “categories” of recipients),
- A reference to the appropriate safeguards put in place by the controller in case of personal data transfers outside the European Union, and the means to obtain copy of them,
- Information about profiling and the mechanisms to object to such profiling.
 
Due to the complexity of the exercise of providing comprehensive notice in a clear and understandable manner, the Rapporteur validates the possibility of a multi layered formats that can improve the “readability” of the notices so that data subjects can “at one glance” understand how their personal data are being used and make decisions.

A Larger Territorial Scope For The Regulation: according to the Rapporteur, EU rules must cover more largely the processing of personal data on Union residents, which are handled abroad by companies established outside the E.U. The amendments provide that the Regulation must apply to the offering of goods or services to data subjects in the European Union, irrespective of whether payment is required for these goods or services, and this is meant at insuring the applicability of the Regulation to so called “free services”. Also, according to the amendments, the Regulation should cover not only the monitoring of the behaviour of Union residents by data controllers outside of the European Union,  - such as through internet tracking - but all collection and processing of personal data about Union residents.

The right to be forgotten is reworded as “a right to erasure and to be forgotten”. However, since the amendments provide for strict rules governing legal grounds for processing (see above), the Rapporteur considers that “if publication of personal data took place based on legal grounds, the right to be forgotten is neither realistic nor legitimate”.

A Greater Role for the European Data Protection Board: the Rapporteur gives more powers to the European Data Protection Board, which is entrusted with taking legally binding decisions, and becomes more like a DP Authority at European level. The European DP Board may adopt measures which shall be binding upon each DP Authority in the Members States. The Rapporteur also drastically reduces the number of delegated acts from the European Commission foreseen in the draft Regulation. The vast majority of the foreseen delegated acts are suppressed, and in some cases replaced by the possibility for the European DP Board rather than for the Commission to further specify the criteria, conditions, and appropriates safeguards for the processing of personal data.
 

Micro, Small and Medium-Sized Enterprises Are No Longer Exonerated from the obligations to comply with some of the requirements: while the Commission’s draft provided for some exemptions, notably for organisations employing fewer than 250 persons (on obligations to keep a Register of processing operations, to appoint a DP Officer) the Rapporteur considers that “all rules should apply to every data controller”.


The Regulation specifically notes that certain categories of online data may be personal - location data and online identifiers such as IP addresses and cookie identifiers are singled out for special mention.  The draft Report suggests that such data should always be personal, unless it can be shown that the identifiers do not relate to natural persons (eg IP addresses allocable to corporates).  
 
Next Steps:

27 February 2013: Deadline for MPs tabling amendments
End of April 2013: Orientation vote in LIBE Committee
From May 2013 on: Negotiations between European Parliament, Council and Commission
 
The regulation should be finalized and adopted in 2014.