Following the recent vote, the Internal Market and Consumer Protection Committee (IMCO) of the European Parliament has just published a final version of its “Opinion” (pdf) on the European Commission’s proposal for a General Data Protection Regulation. The text was adopted with a small majority, underlining how controversial the dossier is.
While the Committee proposes leaving a few of the Commission’s proposals untouched, the text shows the extent to which industry lobbying risks completely destroying the fundamental right to privacy and data protection. Ironically, it also proposes helping business by imposing bureaucratic “solutions” that would be almost impossible to implement.
Destruction of rights
The most basic of privacy rights is to know who is processing your data and for what purpose. The Committee proposes removing this right. Specifically, it proposes that it should be legal for a company to:
a. collect an individual’s data without consent (if the company thinks that its interest in doing so outweighs the interests of the individual);
b. to pass on the data to a different company and
c. for that company to have the right to process the data for purposes that are incompatible with the original reason for collecting the data.
This approach would completely remove the control of the individual over their data as it would eliminate the possibility to find out easily if data were being processed and by whom.
Finally, the Commission’s proposal to place restrictions on profiling is effectively destroyed by the Committee. It proposes instead a legally incompetent text which simply says that profiling which would in any event be illegal (“unfair or discriminatory”) should be illegal.
The Committee suggests that “strongly” encrypted data should fall outside the scope of the Regulation – although this point is made in an article on data breach notification, so it is difficult to guess if this is supposed to mean “falls outside this legislation” or “falls outside this article”. The problem is that technology has not stopped developing, so what is relatively “strongly” encrypted today may not fall under this definition in six months or a year… or two years. Whose responsibility will it be to monitor all encrypted personal data to check if it is still relatively “strongly” encrypted? Would this be done on a daily, weekly, monthly or annual basis? What is “strong” encryption anyway? Nobody knows.
Similarly, the Committee suggests that, rather than individuals having the right to consent to data processing, the consent should be only “as explicit as possible according to the context.” Instead of having one standard – explicit consent – individuals and companies would have to wrestle with a separate analysis of each context for every single type of data processing, in order to work out what – based on an unspecified set of criteria – “as explicit as possible” might mean. And, as with encryption, contexts change. Companies are bought and sold all the time, changing the potential for databases to be merged. Who will be responsible for re-assessing the context? Nobody knows.
The Committee’s understanding of the word “possible” also appears to be a fluid concept. It suggests “as explicit as possible” consent for normal data but always explicit (even when not possible?) for sensitive data.
The Committee decided to introduce a large degree of uncertainty, by completely removing the maximum sanctions for breaches of data protection law. It then decided to attempt to micromanage the thinking of national data protection authorities and national courts by explaining what would constitute a mitigating or an aggravating factor that would need to be taken into account when prosecuting a breach of the law. If national authorities and courts are so incompetent that such instructions are necessary, then there are far deeper problems that need to be solved.
As the final text is so confused, contradictory and, in places, totally meaningless (“The law of the Member State must also respect this regulation and international treatises that the Member State has decided to follow”), we can only hope that the rest of the Parliament treats this “opinion” with the (dis)respect it deserves.