Lead EU Lawmaker Report Seeks Changes To Proposed Data Protection Regulation

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

BRUSSELS--The European Commission’s proposal to rewrite the European Union’s data protection regime is likely to be broadly acceptable to the European Parliament, provided that “clarifications” are put in place, the Parliament’s lead negotiator on the revision said Jan. 9 in a press briefing, referencing his draft report on the EC's proposed data protection regulation.  

The report by Jan Philipp Albrecht, a German Green member of the European Parliament and “rapporteur” for the data protection dossier, suggested, among many other things, that the controversial right to be forgotten principle--which would require companies to remove individuals' personal data from the internet and elsewhere upon demand--apply only to situations where information has been posted without data subject consent.

In addition, Albrecht recommended that the proposed regulation's provision that would require companies to provide notification to data protection authorities of a breach of personal information within 24 hours of its discovery be changed to set the notification deadline at 72 hours.

“Those who expected a conciliatory report searching for compromise and practical solutions will be disappointed, as many of the proposed amendments will strengthen the rights of individuals and supervisory authorities and reinforce existing, or impose additional, obligations on companies,” Monika Kuschewsky, special counsel at Covington & Burling LLP's Brussels office, and Kristof Van Quathem, policy adviser in the firm's Brussels office, said in a Jan. 8 blog post. “As a result, the draft report is expected to be heavily criticized and amended in the months to come.”

Committee Seeks to Finalize Report in April

Albrecht told reporters that the Commission’s proposal was in line with the wishes of Parliament, as expressed in a July 2011 resolution (10 PVLR 1001, 7/11/11).

The Commission proposed in January 2012 to revise the European Union’s 1995 Data Protection Directive (95/46/EC) (11 PVLR 178, 1/30/12). The revision is designed to replace the current system of national data protection laws that transpose the EU framework Data Protection Directive with a regulation providing a single EU data protection law that would apply uniformly throughout the 27-member state bloc.

Albrecht's draft report for Parliament’s Committee for Civil Liberties, Justice and Home Affairs, which was released Jan. 8, is the first step in the Parliament’s internal deliberations on the proposed regulation. The committee is scheduled to discuss the report Jan. 10. Lawmakers have until Feb. 27 to put forward amendments to the report, and the committee is expected to vote on the final report in April.

Albrecht said that although he broadly backed the initial EC proposal, the Parliament would seek to give the Commission less authority than was envisioned in the proposed regulation to promulgate delegated acts--supplementary regulations--once the main data protection framework is in place.

Implementation by the Commission of supplementary regulations should be “reduced to absolutely those things that are not the core of the content but only technical provisions,” Albrecht said. Broader issues should be referred back to the Parliament and EU Council, which represents the governments of EU member states, he added.

Thereafter, the European Parliament must negotiate the final form of the legislation with the EU Council.


The European Commission's Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law--Christopher Kuner

Right to Be Forgotten, Breach Notice Changes

The 215-page draft report includes 350 suggested amendments to the original text of the proposed regulation that are set out with side-by side comparisons of the language of the original text and the relevant proposed amendments. At the end, the report includes Albrecht's explanatory statement on his proposed amendments.

Albrecht's explanatory statement said that although he supports the right to be forgotten principle, it must be clarified to limit its scope. “Where the individual has agreed to a publication of his or her data, however, a 'right to be forgotten' is neither legitimate nor realistic,” he said.

Albrecht also proposed changing the deadline for reporting data breaches to DPAs from 24 to 72 hours.

As a means of avoiding so-called “notification fatigue,” he also proposed a threat of harm threshold to require notice only when a “breach is likely to adversely affect the protection of the personal data or privacy of the data subject: for example in cases of identity theft or fraud, financial loss, physical harm, significant humiliation or damage to reputation.”

Albrecht said that the proposed data protection regulation should be clarified to state that data privacy is a fundamental right and that there should be a rigorous principle of “if you want my data, ask for my consent.”

There should also be a “one-stop shop” regime for companies and individuals, who would be able to refer to their national DPAs on any data privacy issue, he said.

He added that the final regulation should also:

• require data processors to adopt privacy by design and establish strong privacy settings as their technical default;

• promote anonymization of data;

• set applicable EU data protection standards to wherever data about European residents are processed, whether inside or outside the European Union;

• minimize red tape and delete “overly burdensome provisions”;

• make company data protection officers clearly responsible and accountable for corporate compliance;

• give the proposed European Data Protection Board a more clearly defined role, including to “carry the main burden for finding common interpretations and common measures” relating to the new data protection regime;

• set “strong” sanctions for data breaches but ensure that they be proportional to company size and seriousness of the breach; and

• allow introduction of derogations from the regulation only “where demonstrably necessary.”


According to a Jan. 10 blog post by Hunton & Williams LLP, Albrecht's report “expands the application of the Proposed Regulation to non-EU based data controllers to cover all data processing activities aimed at (1) offering goods and services to EU residents (even if they are free of charge), or (2) monitoring EU residents in general (not only their behavior).”

Other notable proposed changes in the report, according to Hunton & Williams, include the clarification of “the concept of 'personal data' to cover data relating to individuals who can be singled out (not just identified)” and the limitation of “the scope of the 'legitimate interest' legal basis for data processing to 'exceptional circumstances,' on the condition that the data controller (1) informs the individuals concerned explicitly and separately, and (2) publishes the reasons for believing that its interests override the interests or fundamental rights and freedoms of the individuals.”

“The Report replaces the employee-based criterion for appointing a data protection officer (introduced by the European Commission) with a new test: data controllers would be obliged to appoint a data protection officer if they process personal data relating to more than 500 data subjects per year,” Hunton & Williams said. “This means that even small data controllers would be obliged to appoint a data protection officer if they meet this threshold.”

“[T]he scope of the highest category of fines has been expanded significantly to cover all infringements of the Proposed Regulation that do not fall into any of the other categories,” Hunton & Williams added.

“The report amends the proposed Regulation with respect to third country transfers based on Safe Harbor agreements or model contractual clauses,” Winston Maxwell, partner at Hogan Lovells, in Paris, pointed out in a Jan. 8 blog post. “The amendment includes new language that such arrangements will remain in force only two years after the Regulation takes effect, whereas the original proposal would have left such arrangements in effect 'until amended, replaced or repealed by the Commission.'”

Mixed Reviews on Report

The European Commission said in a Jan. 8 statement that it welcomed Albrecht’s report. The Commission’s top data protection official, Vice President Viviane Reding, said that Albrecht supported “the Commission’s aim to strengthen Europe’s data protection rules which currently date back to 1995--pre-Internet age.”

The Brussels-based European Digital Rights organization, an umbrella organization of civil and privacy rights groups, said in a Jan. 8 statement that Albrecht had improved on the Commission’s proposal in some areas, such as the clarification that EU data should always be subject to EU data protection rules, but had compromised in other areas.

For example, Albrecht's report retained a provision allowing the processing of data without the subject’s explicit consent if the reasons for processing “are more compelling than the individual’s right to privacy” and if the data subject is informed, the group said. This could be a “compromised position that can be further eroded during the remainder of the legislative process.”

“A number of the proposed amendments are closely related [to] online practices,” Kuschewsky and Van Quathem said in their blog post. “This is rather worrisome as the proposed Regulation is not limited to online data processing, and care should be taken not to turn the General Data Protection Regulation into an Internet Data Protection Regulation.”

By Stephen Gardner  

Albrecht's 215-page “DRAFT REPORT on the proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012)0011 -- C7-0025/2012 -- 2012/0011(COD))” is available at http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf.

Request Bloomberg Law: Privacy & Data Security