On January 10, 2013, Jan Philipp Albrecht, the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), presented his draft report (the “Report”) proposing amendments to the European Commission’s proposed Data Protection Regulation (the “Proposed Regulation”).
Albrecht’s amendments to what was already a complex and prescriptive piece of draft legislation have received mixed reviews from government and industry. The UK recently voiced its criticism of the current proposals, while the European Data Protection Supervisor (EDPS) reacted positively to Albrecht’s report, indicating that it was impressed with the changes made, as they included many of the EDPS and Article 29 Working Party recommendations.
Albrecht has recommended significant alterations to the most contentious provisions, such as the definition of personal data, consent, the rights of access, portability and to be forgotten, and the 24-hour breach notification. Albrecht has sought to simplify the legal framework while also strengthening individuals’ rights.
The definition of personal data includes data that would single a person out, either from data held alone or when used in “combination with associated data,” and seeks to clarify uses of pseudonymised data and create a definition for anonymous data that prevents identification of a person, where identification, directly or indirectly, would require a “disproportionate amount of time, expense and effort.”
Albrecht believes consent “is the best way for individuals to gain more control over data processing activities,” and his proposed amendments consent to be explicit, freely given, specific-informed, and obtained through “clear affirmative action,” since pre-ticked boxes cannot be seen to express free consent.
The right of access would now include the ability to obtain information about profiling and whether a governmental authority had requested data, as well as whether an organisation had complied with that request. The right of portability would be amended to be part of the right of access, so that copies of data are provided in a format that can be migrated to another service.
In relation to the right to be forgotten, Albrecht includes a provision for erasure if there is no legitimate grounds to retain the data. This aims to ensure that companies that have transferred data to third parties without a legitimate legal basis, do actually erase the data. Vivian Reding, in a speech at the EC Justice Council meeting in Dublin 18 January 2013, endorsed this “ambitious and pragmatic” approach in being necessary to prevent imposing unreasonable obligations on businesses.
Responding to the perceived short time limit of 24 hours for notifying the National Supervisory Body of personal data breaches initially proposed by the European Commission, Albrecht suggests extending the time frame to 72 hours.
Albrecht also recommends more onerous notification requirements, with data controllers required to use a multi-layered approach including easily understandable, icon-based descriptions for different types of processing.
Albrecht also recommends that organisations’ ability to rely on legitimate interest basis for processing data be limited to “exceptional circumstances,” where it would be possible for data controller’s interests to override the fundamental rights and freedoms of data subjects.
Other amendments proposed by Albrecht include replacing the criterion for mandatory appointment of a data protection officer (DPO) from being based on having more than 250 employees, to processing the data of 500 individuals or more per year. This means that even small companies and start-ups would incur this expense.
In its recent response to the UK Justice Select Committee’s opinion on the Data Protection framework proposals, the UK Ministry of Justice found mandatory appointments of DPOs unnecessary and suggested that data controllers should be encouraged to appoint DPOs “if they were felt necessary to ensure compliance with the proposed Regulation.” Both the UK Ministry of Justice and the UK Justice Select Committee have been highly critical of proposed Regulation, finding it overly prescriptive and likely to increase costs to the UK economy of between £100 million – £360 million per annum; and the UK Government likely would view Albrecht’s amendments even more harshly, since the UK would like to see the draft Regulation re-casting as a Directive to allow Member States a degree of flexibility.
The Irish government, which currently holds the EU presidency, also expressed concern at a Justice Council meeting in Dublin, suggesting that the household exemption (which permits individuals processing data as part of purely personal activity) and the right to be forgotten are unrealistic. While the Irish have previously said that the proposed Regulation is a priority they would like to see passed during their EU term of presidency, the draft Regulation is continuing to prove highly contentious, and any effort to further constrain business is likely to meet with resistance from some Member States as well as industry.