On January 10, 2013, the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), Jan Philipp Albrecht, presented his draft report (the “Report”) on the proposed amendments to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) to the LIBE Committee.
The Report includes detailed changes proposed by various stakeholders which Rapporteur Albrecht consolidated and distilled into a single text. The text will form the basis for further LIBE (and other) committee discussions before being voted on by the EU Parliament. This Report is a first draft prepared for one committee of one of the three EU institutions (the European Commission, the Parliament and the Council), and, accordingly, the changes suggested are by no means final.
The main amendments suggested in the Report include the following:
Extended Territorial Scope
The Report expands the application of the Proposed Regulation to non-EU based data controllers to cover all data processing activities aimed at (1) offering goods and services to EU residents (even if they are free of charge), or (2) monitoring EU residents in general (not only their behavior).
Clarification of Key Concepts
The Report clarifies the concept of “personal data” to cover data relating to individuals who can be singled out (not just identified), and also introduces new definitions for terms such as “transfer,” “profiling” and “pseudonyms.”
Changes to the Legal Bases for Data Processing: Legitimate Interest and Consent
The Report limits the scope of the “legitimate interest” legal basis for data processing to “exceptional circumstances,” on the condition that the data controller (1) informs the individuals concerned explicitly and separately, and (2) publishes the reasons for believing that its interests override the interests or fundamental rights and freedoms of the individuals. The Report provides further guidance on the circumstances in which the legitimate interests of the data controller may override the interests or fundamental rights and freedoms of the individuals.
Reinforcement of Data Subjects’ Rights
Individuals’ rights are further reinforced and the obligations on data controllers increased. In particular, the right of access is strengthened to include a right to data portability, and data controllers would be required to provide and communicate their privacy policies using a multi-layered approach. Profiling of individuals also is further restricted. On the other hand, individuals will not be able to invoke the controversial “right to be forgotten” where the publication of their personal data has a legitimate legal basis.
Data Protection Officers
The Report replaces the employee-based criterion for appointing a data protection officer (introduced by the European Commission) with a new test: data controllers would be obliged to appoint a data protection officer if they process personal data relating to more than 500 data subjects per year. This means that even small data controllers would be obliged to appoint a data protection officer if they meet this threshold.
Breach Notification, Fines and Compensation
According to the Report, data breaches should be notified to the National Supervisory Authority within 72 hours, as opposed to the 24 hours initially proposed by the European Commission.
The Report makes several modifications regarding how national supervisory authorities will determine fines. Maximum fines remain tiered in three categories (€250,000 or 0.5% annual global turnover; €500,000 or 1% annual global turnover; and €1,000,000 or 2% annual global turnover). However, the scope of the highest category of fines has been expanded significantly to cover all infringements of the Proposed Regulation that do not fall into any of the other categories.
Further, the Report clarifies that the data subject’s right to compensation includes the right to be compensated for non-pecuniary damage such as wasted time or distress. The European Data Protection Board (“EDPB”) is tasked with ensuring that the national supervisory authorities apply their sanctioning powers consistently.
International Data Transfers
The Report would eliminate the European Commission’s ability to recognize sectors in third countries as providing an adequate level of data protection. Adequacy decisions would require delegated acts to ensure that the Council and Parliament participate in the decisionmaking process. The Report also proposes amendments regarding international data transfers to third countries under the Safe Harbor regime or using standard contractual clauses. The relevant Commission decisions allowing the use of these data transfer mechanisms would expire two years after the Regulation takes effect (whereas the Proposed Regulation initially stated that such decisions remain in force “until amended, replaced or repealed by the Commission”). In addition, the Report adds more to the criteria for adequacy findings and strengthens the criteria for Binding Corporate Rules. The Report also inserts new provisions addressing data transfer requests from courts and authorities in third countries, imposing the need to obtain prior authorization from the national supervisory authorities in certain cases.
Strengthening of the EDPB and the New Consistency Mechanism
The Report includes a noticeable focus on the EDPB, the intended successor of the current Article 29 Working Party. The Report transfers certain powers that were assigned to the European Commission to the EDPB, and reduces the European Commission’s power to adopt delegated acts.
Another important amendment is the revised consistency mechanism: in the event multiple national supervisory authorities are competent, one national supervisory authority will take the lead and coordinate its efforts with the remaining authorities internally. In contrast, the European Commission’s text afforded a single national supervisory authority the power to regulate businesses with multiple EU establishments without having to formally coordinate its actions with other supervisory authorities. The scope of supervision also is extended: a national supervisory authority would be competent if “personal data of residents of that Member State are processed.” This represents a step away from supervision based on territory, and a step toward supervision based on the origin of personal data.
Other changes proposed by the Report include:
- an emphasis on data protection by design and default;
- a wider scope of national derogations to safeguard the freedom of expression;
- rules governing health data and how it may be processed;
- rules on how to process personal data for historical/statistical purposes; and
- derogations on the use of social security data.