Brief overview of the leaked EU Data Protection Regulation
This article is also available in:
Deutsch: Ein Überblick über die geleakte EU-Datenschutzverordnung
Last week, Europe was able to get a first glance at the "General Data Protection Regulation" thanks to a leak by Statewatch. It is due to be officially published on 25 January 2012 and will repeal the outdated Data Protection Directive from 1995. It keeps the Directive's key principles but also aims at taking into account the technological developments. It aims at greater harmonisation and more "coherent" rules: "Differences in the level of protection of the rights and freedoms of individuals may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law."
The draft regulation introduces new rights and new definitions. Sensitive data are now redefined to cover genetic and biometric data. The definition of a data subject is mildly extended to a person who can be identified directly or indirectly by the controller or "any natural or legal person". New rights include clearer rights on data portability. It also introduces mandatory reporting of data breaches as well as new competences and powers for supervisory authorities in terms of independence and capacity. Moreover, the regulation (article 63) establishes a European Data Protection Board which is going to replace the existing Article 29 Working Party.
Article 2 of the Regulation defines the scope and states that it also "applies to the processing of personal data of data subjects residing in the Union not carried out in the context of the activities of an establishment of a controller in the Union, where the processing activities are directed to such data subjects, or serve to monitor the behaviour of such data subjects." It will thus apply to businesses that have entities in Europe, use equipment in the EU to process data or who have data processing activities directed to EU data subjects or served to monitor their behaviour.
Users can still make requests to access their data and ask for erasure. This "right to be forgotten" (Art. 15) is basically a re-packaging of the already existing right to deletion after the purpose has been fulfilled (Art. 12 of Directive 95/46/EC). The current draft proposal goes further than the 1995 Directive proposing the right to erasure if the data are no longer necessary or if the data subject withdraws his/her consent, including the right to erasure of any public Internet link to, copy or replication of personal data relating to the data subject in any public communication service. This especially applies "in relation to personal data which are made available by the data subject while he or she was a child".
It has already been argued that the article on the right to be forgotten was not particularly well drafted and could therefore have serious and obviously unintended implications for freedom of speech. Even though one of the aims of this article is to counter the loss of purpose limitations in social media, it must be carefully drafted to avoid its potential misuse as a tool for censorship. It has also been criticised as data controllers, for instance blogs or other independent media that do not comply with the 'right to be forgotten', could be fined between 500 and 600 000 Euros.
One of the elements of the draft regulation that can be applauded is represented by articles 37 and 42 which regulate data processing by third countries. Data can be transferred to a third country only if certain criteria are met to ensure the level of protection of individuals for the protection of personal data. Article 42 addresses extra-territorial actions by third countries such as the USA Patriot Act and the USA Foreign Intelligence Surveillance Act and imposes barriers for foreign judicial authorities to access European data. This article is particularly interesting with regard to the US requests for European data such as the request for twitter account details of European citizens that might be related to WikiLeaks.
Proposal for a Regulation on the protection of individuals with
regard to the processing of personal data and on the free movement of such
data (General Data Protection Regulation)
9 Reasons Why a 'Right to be Forgotten' is Really Wrong (8.12.2011)
A quick review of the draft EU Data Protection Regulation- Privacy
(Contribution by Kirsten Fiedler - EDRi)