Euro Parliament Committee votes to tighten data protection law


Back to the overview
Euro Parliament Committee votes to tighten data protection law
On 22 October, members of the European Parliament's Committee on Civil Liberties, Justice and Home Affairs took a significant step in the discussions on the revision of the Data Protection law and adopted an amended version of the Commission's proposal for a Regulation (Proposal for a Data Protection Regulation, published in January 2012).

The Parliament adopted amendments increasing the burden on "data controllers", and giving data protection authorities the power to impose heavy fines – up to 5% of global annual revenue – on companies in breach of the law.

What are the main changes to the proposed regulation?
  • The definition of “Personal Data” – and thereby the scope of application of the future Regulation – is extended to cover a vast array of data, including “an identification number, location data, unique identifier”. If this definition is maintained, processing of any such type of data will trigger rules and protections in situations that have, in practice, very little (or no) impact on user's privacy.
  • A definition of “Pseudonymous Data” is included, defined as “personal data that cannot be attributed to a specific data subject without the use of additional information”, as long as such additional information is kept separately. Inclusion of this concept – heavily denounced by privacy advocates – is welcome. However, the current definition does not encompass the industry's understanding of such type of data, especially inasmuch as the new definition refers to data which cannot be “attributed” to a user – whereas industry believes it can be “attributed”, but not used to allow a user to be “identified”. This is a small but important distinction which the compromise amendment failed to encompass.
  • A single requirement for “explicit consent” for all categories of information (from pseudonymous to the truly sensitive) was maintained, despite being considered largely disproportionate in many instances – including many common and harmless uses of data for marketing purposes. This does not reflect the “risk-based” approach advocated by many stakeholders, including a large majority of Member States.
  • A definition of “Profiling” is added and its practice is regulated in a revised article. Although it will be permitted as long as the data processed is “pseudonymous”, the wording remains confusing and a source of legal uncertainty.
  • The collection of data will be permitted on the basis, among others, of the “legitimate interests” of the data controller – a welcome alternative to consent-based solutions, which may not always be appropriate. The “legitimate interests” of the controller are defined in somewhat vague terms but rely on the user's “reasonable expectations,” a concept that may be challenging to define considering the varying degrees of literacy and habits in a fast-evolving digital environment.
  • Requirement to obtain parental consent for the collection of data from children under 13 was extended to “the offering of goods or services to a child”, while the Commission's original draft applied only to the offering of “information society services”. Although this provision was reworded to exclude instances where “unnecessary processing of personal data” would be required, this does not mitigate concerns that this requirement will be burdensome in many non-invasive techniques. The European Data Protection Board – a new structure regrouping the Data Protection Authorities in all 28 Member States, similar to the Article 29 Working Party – structure created by the Commission's new Regulation – would be in charge of issuing “guidelines, recommendations and best practices” to determine the methods to define parental consent.

To a great extent, the vote resulted in the adoption of data protection rules stricter than the ones put forward in the Commission's Proposal. The nearly unanimous adoption of this draft report will form the basis of negotiations between the Council and lead negotiators for the EP.

Following months of negotiations on the 3000+ amendments tabled on the draft report by Rapporteur Jan Philipp Albrecht (published in January 2013), the representatives of the EP's largest political groups agreed in the last few weeks on no less than 90 “compromise amendments” (compilations and rewordings of several amendments tabled on similar articles into acceptable compromises for all parties). Most of the compromise amendments were voted in one single block vote – highlighting a great degree of consensus achieved ahead of the vote, with 49 votes in favour, 1 against and 3 abstentions.

Although the vote had previously been delayed on several occasions, the key actors involved considerably stepped up the pace of negotiations in the last few months, fuelled in part by on-going revelations of third country government surveillance programmes.

Sign up to monthly WFA news