One year ago, the European Commission published its proposal to reform the European Union’s legal framework for data protection. The proposal for a General Data Protection Regulation seeks to shift the focus away from paper-based, bureaucratic requirements and towards compliance in practice, harmonization of the law and strengthening of the rights of consumers. In ambition, scope and size the draft Regulation is the largest and most complex piece of data protection legislation ever proposed (on this issue see also http://www.wsgr.com/publications/PDFSearch/proposed-EU-0113.pdf).
Consumers across Europe have high expectations from the ongoing reform restore their control over their personal data. This is all the more important in an ever more complex online environment where individuals’ fundamental right of personal data protection is being violated- unknown to consumers
Consumers currently live in a digital ‘dark room’ in terms of control over the way information including their identity, daily lives, social activities, political views, hobbies, financial data and health records are collected and processed by multiple companies. Billions of euro are made each day by “flourishing” companies (ab)using our personal data.
A solid legal framework for data protection would help boost consumer confidence, especially in the complex online environment. Innovation will only be able to be rolled out on a large scale if people trust the way their data is being handled. Consumer confidence is essential to economic recovery.
The draft proposal is currently being discussed at the European Parliament and among Member States at the EU Council. Once the European Parliament and the EU Council have reached their final positions, then they will still have to negotiate between themselves to reach a final agreement. The European Commission is keen on having the procedure being completed in time for the next EU parliamentary elections in June 2014.
On 8 January 2013, the main rapporteur for the Regulation in the European Parliament, German Green Member Jan Philipp Albrecht, issued a draft report on the Regulation for the Committee on Civil Liberties, Justice and Home Affairs (LIBE). Other members of the Committee have also tabled a total of 3000 amendments, which is a record for the European Parliament and clearly demonstrates the interest in the proposal. The vote on the amendments is scheduled for 29 May 2013.
The Albrecht’s report general supports the objectives of the EU Commission’s proposed reform, and its attempt to establish a coherent, harmonious and robust framework with a high level of protection of all data processing activities in the EU.
The main issues that have emerged at the European Parliament are the following:
Broader application of EU data protection law: The criteria for the application of EU data protection law have been broadened. Companies that collect data of EU individuals with the aim of offering goods or services (even without any payment) or monitor such individuals (not just their behavior) would be subject to EU data protection law.
Personal data: The Report broadens the concepts of personal data by providing that data subjects now include natural persons who can be identified or ‘‘singled out’’ directly or indirectly, ‘‘alone or in combination with associated data.’’ According to the Report, internet protocol (IP) addresses, cookies, and other unique identifiers will in most cases be considered to be personal data, since they leave traces and can be used to single out natural persons.
Consent: Consent must be freely given, specific, informed and explicit, consequently impeding data controllers from relying on implicit consent and on pre-ticked boxes. Furthermore, consent will not be a valid legal basis where the company ‘‘is in a dominant market position with respect to the products or services offered to the data subject, or where a unilateral and nonessential change in terms of service gives a data subject no option other than to accept the change or abandon an online resource in which they have invested significant time.’’
Privacy policies are not always easy to spot on websites, while they may not be updated once they are published, even when the content and the nature of the service have evolved. The new Regulation, once adopted, will require information to be provided in an intelligible form while using clear and plain language
Right to data portability: The draft Regulation introduces the new right to data portability in the proposal. In the online environment, consumers store huge amounts of information (e.g. social networks, e-mail services…). At present, consumers are too often ‘locked-in’ to online services and platforms with no possibility of transferring this data onto other (competing) platforms. The right to data portability allows the consumer to be in control of his data and retain the ownership, by being able to shift the data to other services. However, it remains to be seen whether this right will survive the legislative process, as companies are concerned that they will lose customers if this right is to be implemented.
Right to be forgotten and to erasure: The digital print left by individuals when personal data is processed online is problematic for consumers; consumers may well wish to erase the traces they leave behind on the Web at one point in time. The controversial right to be forgotten is viewed in the Report as an extension of the right to erasure and rectification. The consumer should be able to delete the information provided to a company when the data is no longer necessary or when he withdraws consent. The Report maintains freedom of expression as a potential exception to the right to be forgotten, underlying the importance of balancing these two rights against each other for ‘‘any measures for erasure of published personal data.
Data breach notiﬁcation: In case of a breach of personal data, companies will have to notify the Data Protection Authority within 72 hours of the amount and type of personal data that has been leaked and the measures taken to mitigate the problem. Furthermore, to prevent notification fatigue, data subjects should only be notified in case of serious breaches, such as identity theft or fraud, financial loss, physical harm, significant humiliation, or damage to reputation. The notification to data subjects should contain information regarding their rights, including possibilities of redress and the contact details of the Data Protection Authority.
Effective redress. The possibilities for individuals and associations to seek effective redress are further strengthened. For example, the right to lodge a complaint before DPAs, to go before the courts, and to seek redress for pecuniary loss, including judicial collective actions, will be extended to any associations acting in the public interest, and will not be limited to associations specialized in data protection. The report also recommends allowing associations to bring judicial collective actions for compensation.
Sanctions and fines: Highly significant is the new regime for penalties and administrative fines, which are for the first time in the history of data protection law, of significant magnitude, going as far as 2% of the global turnover of a company. To give an example of the potential maximum amount of such a fine, Google’s annual revenues in 2010 were approximately $29 billion, two per cent of which would be approximately $ 580 million.
The process for the final adoption of the Regulation will take at least one more year to complete, during which many of its provisions are likely to chance. However, the right to the protection of personal data should not be eroded or undermined simply because it became easier or more profitable to break it in the digital environment.
There are not many issues on which Europe currently has global leadership. But the protection of personal data is one such example. The European legal framework for the protection of personal data has become a model around the world, having a huge impact on other continents and countries – many have reformed their national laws according to the European standards.
Members of the European Parliament should not miss this opportunity – the Parliament should stand firm against the many industry demands to weaken the rules proposed by the European Commission.