European Parliament Data protection draft – compromise or compromised?
The draft Report of the European Parliament on the European Commission's proposed Data Protection Regulation was published today. The Parliamentarian responsible, German Green MEP Jan Albrecht, has sought to improve on the Commission's initial proposal and also to address many of the concerns raised by his colleagues in the discussions that have taken place so far in various Committees. The draft text is therefore a mix of straightforward attempts at positive improvements and attempts at compromise based on the opinions so far expressed by his colleagues.
Two significant attempts at improvement are the introduction of the concept of “singling out” of individuals and access to data by foreign governments. The “singling out” concept seeks to address the current “grey area” of the collection of data to profile individuals based on their tastes, browsing habits or purchase history, rather than identifying them by name. The proposal on access to data by foreign governments seeks to re-introduce the approach initially favoured by the European Commission before a heavy lobbying campaign by the US government led to the deletion of the entire article, before the proposed Regulation was published.
There are numerous examples of Mr Albrecht seeking to find compromises with his colleagues, as a result of the debates that have so far taken place in the Parliament. One of the most surprising is the inclusion of a definition of “anonymous” data, following demands made by various Parliamentarians. The need for a definition of non-personal data in a Regulation about personal data appears superfluous at best and, at worst, needlessly confusing.
One of the most controversial issues in the Regulation is the concept of “legitimate interest”. Under this approach, companies can decide to process personal data without permission and without this being necessary for the conclusion of a contract. They may do so if they feel that their reasons for doing so are more compelling than the individual's right to privacy (although this decision may be challenged in the courts or by a Data Protection Authority). Contradicting proposals from Green colleagues to delete this exception, Mr Albrecht suggests a compromise – permitting this unilateral approach if it is “exceptional”. The data controller would be required to justify the use of this approach and to inform the data subject. Five broad justifications are listed for the use of the “legitimate interest” exception – one example being the sending of junk mail by a company that is already providing services to the data subject (as is currently the case under EU law for sending junk e-mail).
While this exception is still very broad, the proposed text does, at least, avoid the “Instagram on steroids” proposals made by some Parliamentarians. In December, the image editing and hosting service Instagram proposed unilaterally changing its terms of service, to allow it to licence users' pictures for use by third parties. This caused an outcry and the plan was ultimately withdrawn. However, whereas Instagram gave advance notice of its intended change of policy, some Parliamentarians have suggested that companies should have the right to give themselves the power (if they believe it is in their “legitimate interest” to do so) to pass on personal data to third parties (without permission). Worse still, they also propose that those third parties could use those data, also without permission, for purposes that are incompatible with the original reason for collecting the data. In other words, companies like Instagram would not even need to ask for permission before re-using personal data. As the third parties would not be required to ask for authorisation – or register the processing with a Data Protection Authority – data subjects would have no power at all over the use of their personal data, effectively eliminating their fundamental right to data protection. Their only protection would be the right, after the abuse of their data took place, to seek a court or a Data Protection Authority ruling that the company's data processing was excessive.
The provisions on profiling are also compromised. For example, following the logic of various fundamental rights restricting measures proposed by the Commission in the area of profiling for policing purposes, Mr Albrecht's report suggests that measures that produce legal effects on the data subject may not be based “solely” on automated processing. This wording is so narrow that any human intervention at all would be enough to satisfy this “safeguard”. Oddly, there is also an amendment suggesting that children may not be identified or “singled out” by profiling – even though it would seem clearly helpful to child protection if the identification of children for the sole purpose of not targeting certain services to them were permitted.
Reacting to the concerns of many Parliamentarians, Mr Albrecht also suggests removing or watering down, by various methods, the number of “delegated acts” which the Commission can unilaterally take in order to improve implementation of the Regulation. Delegated acts whose deletion is proposed include the one on establishing grounds for the “legitimate interest” exception, verifiable consent and the processing of special categories of personal data. Requirements regarding information that should be provided to the data subject are one of several examples where the Commission's proposed powers are watered down by the inclusion of a requirement for a prior approval by the Data Protection Board.
Generally, many of the proposals from Mr Albrecht represent an improvement on suggestions already been made by lobbyists and certain Parliamentarians. However, it is far from certain whether his colleagues will accept the draft report as a genuine first attempt at compromise or simply a compromised position that can be further eroded during the remainder of the legislative process.