The growing globalisation of data flows, via social networks, cloud computing, search engines, location-based services, etc, increases the risk that people can lose control of their own data. On 21 October 2013, Civil Liberties MEPs voted on a major overhaul of current EU data protection rules which aims to put people in control of their personal data, build trust in social media and online shopping and upgrade the protection of data processed by police and judicial authorities.
The new rules will also replace the current patchwork of national laws with a single set of rules, which should make it easier for companies to move across the EU while at the same time strengthening citizens' rights.
The EU's current data protection laws date from 1995, before the Internet came into widespread use, and does not cover data processed for law enforcement purposes. Today, 250 million people use the Internet daily in Europe. The new rules update existing legal principles and apply them to the new online environment, so as to ensure effective protection of the fundamental right to data protection and improve certainty as to the law for companies.
The changes made by the Civil Liberties, Justice and Home Affairs Committee to the European Commission proposal constitute Parliament's mandate to start negotiations with the Council on the legislative package. The full Parliament is expected to confirm the committee texts in a plenary vote on 12 March 2014. Inter-institutional talks will start as soon as EU countries agree on their own negotiating position. Parliament's aim is to reach an agreement on this major legislative reform before the end of 2014.
The data protection reform package consists of two draft laws: a general regulation covering the bulk of personal data processing in the EU and a directive on processing data to prevent, investigate, detect or prosecute criminal offences or enforce criminal penalties.
The draft regulation updates the principles set out in a 1995 directive, so as to keep pace with major changes in data processing brought about by the Internet. It would cover, for example, data processed on the Internet, e.g. for social networks, online shopping and e-banking services, and off it, e.g. for hospital and university registers, company registers of clients and personal data held for research purposes.The lead MEP on the draft regulation is Jan Philipp Albrecht (Greens/EFA, DE).
The draft directive would replace a 2008 framework decision on cross-border data processing in police and judicial cooperation. It is designed to protect both domestic and cross-border transfers of data, which is not the case today. It also sets a high level of data protection for citizens. The lead MEP on the draft directive is Dimitrios Droutsas (S&D, EL).
Before the Civil Liberties Committee vote, Parliament’s political groups negotiated a set of amendments covering many elements of both files, in order to achieve a strong mandate for negotiations with the Council and reduce the number of amendments put to a vote.
Here is an overview of some of the committee's key proposals for the regulation.
Data transfers to non-EU countries (Article 43a)
The rules voted in committee govern transfers of personal data to third countries. If a third country asks a firm (e.g. a search engine, social network or cloud provider) to disclose personal data processed in the EU, the firm would have to get permission from the national data protection authority and inform the person concerned before transferring any data.
Penalties for companies (Article 79)
For those breaking the rules, data protection authorities would have to impose at least one of these penalties, say MEPs:
When imposing these penalties, the data protection authorities would have to take into account aggravating factors such as the duration of the breach, its negligent or repetitive character, willingness to cooperate and the amount of damage done.
Right to erasure (Article 17)
According to Parliament's mandate, any person (data subject) should have the right to have their personal data erased when a) the data processing does not comply with EU rules, b) the data are no longer necessary for the purposes for which they were collected or c) the person objects or withdraws his/her consent for the processing of his/her personal data.
Furthermore, to enforce this right, if a person asks an Internet company to erase his/her data, the company should also forward the request to others which replicate the data. This "right to erasure" builds upon what is outlined in the 1995 directive and the Commission proposal.
However, this right would be restricted in some cases, for instance when the data are needed for historical, statistical and scientific research purposes, for public health reasons or to exercise the right to freedom of expression. Also, the right to erasure would not apply when the retention of personal data is necessary to fulfill a contract or is required by law.
The "right to erasure" would cover the "right to be forgotten" as proposed by the Commission.
Explicit consent (Article 7)
Where processing is based on consent, a company could process personal data only after obtaining clear permission from the data subject, who could withdraw his/her consent at any time. A person's consent means "any freely given, specific, informed and explicit indication of his/her wishes, either by a statement or by a clear affirmative action".
Civil Liberties MEPs retained this proposal. They also stipulate that the execution of a contract or the provision of a service cannot be made conditional upon consent to processing personal data that is not strictly needed for the completion of that contract or service.
Furthermore, according to Parliament's position, the consent loses its effect as soon as the processing of personal data is no longer needed for the initial purpose for which they were collected. MEPs also stiuplate that withdrawing consent must be as easy as giving it.
Clear and plain language, right to information
To make it easier for people to give their informed consent, data controllers should use clear, concise, plain language when explaining their privacy policies, and especially when providing any information addressed specifically to a child, MEPs say (Article 11).
When collecting personal data, the controller should explain to the data subject whether his/her personal information will be transferred to commercial third parties, sold, rented out or encrypted. They should also state whether the personal data are being collected and/or will be retained beyond the minimum time needed for the specific purpose of the processing or for different purposes. This should be done using easily understandable texts and symbols, MEPs add (Article 13a).
The data controller would also be required to inform the person about various aspects of the data processing, such as the period of storage, the recipients of the personal data and the possible existence of profiling, as well as the data subject's rights of access, rectification and erasure of the data and to lodge a complaint with a data protection authority. (Article 14)
Profiling (Article 20)
The proposal sets limits to "profiling”, a technique used to analyse or predict a person's performance at work, economic situation, location, health, preferences, reliability or behaviour based on the automated processing of his/her personal data.
MEPs' proposed changes point out that profiling, as a general rule, would only be allowed with the consent of the person concerned, where permitted by law or when needed to pursue a contract. They also clarify that profiling should not lead to discrimination or be based solely on sensitive data (i.e. data revealing, inter alia, ethnic origin, political opinions, religion, sexual orientation, genetic or biometric data, administrative sanctions or suspected offences).
The Civil Liberties Committee also makes it clear that profiling should not be based solely on automated processing and should comprise human assessment, including an explanation of the decision reached after such an assessment. This could affect the way in which creditworthiness is evaluated, for example.
Under the Commission proposal, any person would have the right to ask e.g. an email service provider or a social network to provide a copy of all his/her data in an electronic, commonly-used format, to be transferred to another provider or service (so-called right to “data portability”, Article 18).
Civil Liberties Committee MEPs propose merging the right to data portability with the right to data access (Article 15) and stress that, for personal information processed by electronic means, the controller should provide a copy of these data "in an electronic and interoperable format". This would allow users to switch email providers without losing contacts or previous emails, for instance. Where technically feasible and at the request of the data subject, the data would be transferred directly from controller to controller (e.g. from email provider to email provider).
Data protection officer (Article 35)
Public institutions, companies processing the data of more than 5,000 people in a year and organisations whose core activities involve processing sensitive data or systematically monitoring people would be required to appoint a data protection officer (DPO). This proposal is based on the German model.
MEPs' amendments change the criteria for appointing a DPO, so the criterion would be not how many employees a company has (the Commission suggested at least 250), but rather how many people’s data it collects. Also, DPOs should be appointed for at least four years in the case of employees and two in that of external contractors. The European Commission proposed two years in both cases.
DPOs should be in a position to perform their duties independently and enjoy special protection against dismissal, says the Civil Liberties Committee.
Right to complain (Article 54a)
Under MEPs' amendments, those persons whose personal data are processed by a controller (e.g. an Internet company) in another EU member state should be able to complain to the data protection authority of his/her choice (that of the country where the company is based or the one in his/her own country). This should make it easier for citizens to lodge complaints in their own language.
Stronger and more independent Data Protection Authorities
In line with Article 16 of the EU Treaty and with the case law of the Court of Justice of the EU, MEPs reinforce the independence of the Data Protection Authorities (DPAs) and clarify their powers of intervention.
One-stop shop and consistency mechanism
A key innovation of the regulation is that it sets a single competent authority for all processing activities of a data controller or processor in the EU. The DPA of the country where the controller has its main establishment would have the lead when it comes to taking measures with regard to that controller. The DPA would consult other national data protection authorities involved (eg. that of the citizen lodging a complaint). This would have an impact on the oversight of Internet giants with offices in several EU countries.
In the event of disagreement, there would be a "consistency mechanism" in which the European Data Protection Board (a body that would coordinate DPAs) will be involved.
Whereas the general regulation will apply directly in member states, the directive on data processed by police and judicial authorities to prevent, investigate, detect or prosecute criminal offences or enforce criminal penalties will need to be transposed into national laws. EU countries may set higher standards than those enshrined in the directive.
Civil Liberties Committee MEPs insist that it is important to remove disparities among member states’ existing laws in this field and to close loopholes. To this end, this directive should be dealt with at the same time as the regulation (as a package). Here is an overview of some of the committee's key proposals for the directive:
- a number of concepts envisaged in the regulation, such as profiling, explicit consent, using clear, simple language and appointing a data protection officer, should also apply to the directive, says Parliament's negotiating mandate,
- personal data could be transferred to third countries or international organisations only if the transfer is needed for the same purposes of the directive, if the controller in the foreign country/organisation is a public authority and if the same level of data protection as is provided for in the directive is guaranteed. Transfers would also be allowed if the European Commission decides that the foreign country/organisation provides a proper level of data protection or when appropriate safeguards are established in a legally binding instrument (Article 33),
- member states should ensure that clear, easily understandable information is given to a person regarding the processing of his/her data and key rights, such as the right of access, rectification and erasure of their data, the right to lodge a complaint and to go to court and the right to compensation in the event of unlawful processing. Such rights should be exercised free of charge (Article 9a, Articles 11-17),
- data must be dealt with in a way that is protected against non-authorised or unlawful processing and against accidental loss, destruction or damage (Article 4),
- personal data should not be processed for purposes other than those for which they were collected. They must be deleted if they are no longer necessary for those initial purposes, say MEPs, adding that member states must ensure that time limits are set for the erasure of personal data (Article 7a, Article 4),
- profiling activities to single out a person without the suspicion that he/she has committed or will commit a crime would be possible only if strictly needed for the investigation of a serious crime or to prevent an imminent threat to public security or the life of persons (Article 9),
- as a general rule, law enforcement authorities would have access to the data of persons convicted for a crime, suspects (on reasonable grounds), victims and other persons connected to a criminal investigation, such as witnesses. Data of other persons would be processed only for as long as necessary for the investigation or for targeted, preventive purposes (Article 5), and
- MEPs introduce strict limits for the use of sensitive data (Article 8). Genetic data should be processed only to prevent a threat to public security or a specific criminal offence (Article 8a).
"Personal data" is any information concerning a person's private, professional or public life. It may be a name, a photo, an email address, bank details, his/her posts on social networks, medical information or his/her computer's IP address.
"Data controllers" decide on the conditions, purposes and the manner in which personal data are processed. They may be individuals, firms or public authorities. Examples of individuals who act as data controllers include doctors, pharmacists and politicians, when they keep data on their patients, clients and constituents.
"Data processors" process personal information on behalf and under the authority of data controllers but do not take decisions on conditions, purposes and means of the processing (outsourcers). For example, payroll companies, accountants and market research companies are data processors when they process personal information on behalf of others (e.g. other companies or public authorities, which would be data controllers in such cases). However, if they decide on conditions, purposes or act beyond the instructions of the controllers, they become controllers for that specific processing activity.
Personal data are used to identify a natural person. That person is the "data subject".
A record 3,133 amendments to the proposed regulation were tabled in the Civil Liberties Committee. Together with the amendments tabled in their opinions by the Industry Committee (417), the Internal Market Committee (226), the Employment Committee (27) and the Legal Affairs Committee (196), they make a total of 3,999 amendments. This is the highest number of amendments to a single legislative file ever tabled in Parliament.
Parliament's political groups negotiated 91 compromise amendments, combining those already tabled, in order to make it easier to vote on the regulation.
673 amendments to the draft directive were tabled in the Civil Liberties Committee. Together with the amendments tabled by the Legal Affairs Committee in its opinion (98), they make a total of 771 amendments.
Parliament's political groups negotiated 64 compromise amendments, combining those already tabled, in order to make it easier to vote on the directive.
The voting list for the regulation has 261 pages and the one for the directive has 57 pages (a total of 318 pages).
By the time of the plenary vote in March 2014, the data protection reform had been debated for 20 months. The committee's official debates alone accounted for about 30 hours. Informal negotiations among political groups took around 250 hours.
Parliament's negotiating mandate for the regulation was adopted by 51 votes to 1, with 3 abstentions.
Parliament's negotiating mandate for the directive was adopted by 47 votes to 4, with 1 abstention.
Parliament's negotiating team for the regulation will be formed by Juan Fernando López Aguilar (S&D, ES) -Civil Liberties Committee Chair-, Jan Philipp Albrecht (rapporteur) and Axel Voss, Dimitrios Droutsas, Alexander Alvaro (ALDE, DE), Timothy Kirkhope (ECR, UK) and Cornelia Ernst (GUE/NGL, DE) as shadow rapporteurs.
Parliament's negotiating team for the directive will be formed by Juan Fernando López Aguilar -Civil Liberties Committee Chair-, Dimitrios Droutsas (rapporteur) and Axel Voss, Sophia in't Veld (ALDE, NL), Jan Philipp Albrecht, Timothy Kirkhope and Cornelia Ernst as shadow rapporteurs.
Parliament's negotiating team is ready to start negotiations with member states. The Council's Greek Presidency wants to have a negotiating mandate ready as soon as possible. Once the Council (EU member states) has agreed on a common position, the talks will start. Parliament aims is to reach an agreement before the end of 2014.
Once adopted, member states would have 2 years to bring the regulation into effect and transpose the directive into their national laws.