This article is also available in:
Deutsch: [ENDitorial: Erste EDRi-Stellungnahme zur Datenschutzverordnung |]

EDRi welcomes the European Commission’s proposal for a new data protection
Regulation. Europe needs a comprehensive reform in order to ensure the
protection of its citizens’ personal data and privacy, while enhancing legal
certainty and competitiveness in a single digital market. Since the
“inter-service” draft was leaked in December, there has been a significant
lobbying effort by certain foreign governments and industries. Although, as
a result, some of the provisions seem to have been watered down or
downgraded, and although there are still areas of concern, we are pleased to
see that the proposal still highlights the importance of key principles such
as the need for a clear “legitimate ground” for processing, transparency,
fairness, “purpose-limitation”, “privacy by design”, and data minimisation.

This is a first, positive step in a long legislative process that in the end
will hopefully secure greater respect for and awareness of the fundamental
right to data protection and to privacy for European citizens.

Why we need a Regulation (and not a Directive)
An EU wide, unified approach to securing an appropriately high level of data
protection, and to the safeguarding of essential elements of democratic
societies such as privacy and free speech is long overdue. It is crucial in
a fast changing digital environment.

European Court of Justice case-law over the past 15 years shows that many
Member States met neither the substantive nor the procedural/enforcement
requirements of EU data protection law in full. Data protection legislation
is moreover highly fragmented: legislators and regulators in the 27 EU
Member States implement the Directive in 27 different ways. Harmonisation in
the form of a single, directly applicable instrument is indeed needed to
ensure legal certainty in the single European market – for citizens and
businesses alike.

According to Article 3(2) of the Regulation, its provisions will also apply
to processing by non-EU entities if the processing activities of those
entities are related to the offering of goods or services to EU data
subjects, or to the monitoring of EU citizens’ behaviour. This replaces the
rather unclear “use of equipment” test of the Directive. EDRi welcomes these
new rules on territorial scope.

The right to be forgotten and free speech issues
The”right to be forgotten” (Art. 17) is basically a re-affirmation and
strengthening of the already existing right to deletion of personal data
after the purpose for which they were processed has been fulfilled (Art.12
of Directive 95/46/EC). The current draft proposal goes further than the
1995 Directive by proposing the right to erasure if the data are no longer
necessary or if the data subject withdraws his/her consent, and by including
rules aimed at the erasure of any public Internet link to, copy or
replication of the personal data relating to the data subject which the data
subject is seeking to have removed. This especially applies “in relation to
personal data which are made available by the data subject while he or she
was a child”. However, the provision has been weakened since the last leak,
now requiring merely that the data controller “shall take all reasonable
steps” to inform third parties that the user wishes to erase any links to or
copies of the material.

EDRi also believes that as currently draft, the article could have serious
(if perhaps unintended) implications for freedom of speech. Even though one
of the aims of this article is to counter the loss of purpose limitations in
social media, it must be carefully drafted to avoid its potential misuse as
a tool for censorship.

Overall, in EDRi’s view, the “right to be forgotten” article was not
particularly well drafted. EDRi would therefore like to see the text
clarified and strengthened, but also feels that the underlying thinking is a
step in the right direction.

Data portability in general (Article 18)
Individuals will be given the right to demand that an organisation should
transfer any or all information held about them to a third party in a format
which the individual determines. This increases the control that individuals
have over data which identifies them and makes it easier for them to
transfer business or employment relationships. The text does not clarify who
will be required to cover associated costs of such an exercise. In EDRi’s
view, this should not be at the expense of the data subject. Other than
that, EDRi welcomes this new principle.

Right to Data Portability in relation to social networks
The right to data portability mentioned above includes the right to move
account information from one social media service to another and to benefit
from privacy-friendly alternatives. This right is limited by a rather
poorly-drafted requirement on the format to be used for stored data. It is
important that users have a right to their electronically stored data, “in
an electronic format which is commonly used” rather than only having the
right to obtain the data if they are stored in such a format. This is a very
good start to deal for dealing with the network externalities and related
natural monopolies of networking platforms such as social networks. But in
EDRi’s view, in order to work, this should include an inter-connection or
inter-operability provision.

Privacy by Design/Default
EDRi also welcomes the new provisions regarding privacy by design / by
default of Article 23, since it is essential that companies consider privacy
at each stage of product development. However, in EDRi’s view, an effective
implementation mechanism of “privacy by design” is needed. This could be
created by the introduction of an obligation to conduct privacy impact
assessments, which aim to ensure that privacy concerns are built into every
part of the life cycle of a product or service.

EDRi also welcomes the support given by the proposed Regulation to European
Certification processes, provided that (like the current European Privacy
Seal, EuroPriSe), they apply the highest and strictest European data
protection standards.

Data breach notification
Articles 31and 32 introduce an obligation to notify personal data breaches,
in principle within 24 hours (but with some sensible flexibility built in).
Moreover, individual users should be notified of a leak if the leak is
“likely to adversely affect the protection of the personal data or privacy”
of the users. In EDRi’s view, it is essential that customers are informed if
their personal information have been compromised, so that they can protect
themselves by, for example, changing passwords or getting new credit cards.
This broad obligation to report data breaches is very important, but the
articles do not provide for a central public register of data leakage. In
EDRi’s opinion, this provision can therefore be further improved.

Transfer of personal data to a third country (Article 42)
Under the proposed new Regulation, as under the current Directive, personal
data may only be transferred to a third country if certain criteria are met
to ensure an appropriate level of protection of those personal data.
However, Article 42 has been watered down and, in EDRi’s opinion, rendered
almost meaningless since the very first leaked draft of the Regulation. The
leaked version of the new Regulation indicated that barriers imposed on for
foreign judicial authorities regarding the to access of European data
outside fell beyond the scope of the agreed legal frameworks. It stated that
in cases where a third country requests the disclosure of personal data, the
controller or processor had to obtain prior authorisation for the transfer
from its local supervisory authority. The initial goal of this article was
clearly to address extra-territorial actions by third countries such as the
USA, acting under the PATRIOT Act or the Foreign Intelligence Surveillance
Act (FISA). The Article has, however, been totally emasculated, by only
imposing the condition that the third country has “adduced appropriate
safeguards with respect to the protection of personal data in a legally
binding instrument”. EDRi and other civil society groups will forcefully
oppose this new text.

According to the US Department of Commerce recent lobbying , Article 42 of
the proposed Regulation might affect US-registered companies located in the
EU and their ability to conduct business in the US. It is noteworthy that
the US currently uses instruments such as the Foreign Intelligence
Surveillance Act (FISA) and the Patriot Act to retrieve data on (e.g.) the
political activities of foreign individuals, who may have no links
whatsoever with the USA, via companies with US offices. This legal vacuum
was meant to be addressed by article 42. It has not been. EDRi believes that
this will be one of the most important areas of debate. We will insist that
the EU rules will ensure full respect for the civil and political rights of
EU citizens, also against encroachment from U.S. authorities.

EDRi welcomes the idea of having a range of different sanctions available
for specific types of data protection violations (Art. 79). As part of the
European harmonisation of data protection legislation, national authorities
will have greater power to impose penalties for infringements. The fines
clearly need to have a serious dissuasive effect, therefore it is sensible
(as in with competition policy) to make them dependent on the gross annual
turnover of a company. However we note that, since the last leak, the
maximum fine of 5% of global turnover has regrettably been reduced to 2% and
minimum fines have been deleted. In EDRi’s view, this reduction in maximum
fines is unwarranted.

EDRi will provide it’s a comprehensive analysis later, on the full proposed
framework, Regulation and Directive. In the meantime, we welcome
Commissioner Reding’s proposals as a positive first step in the long
process of updating privacy and data protection for EU citizens in the
digital environment.

US lobbying against draft Data Protection Regulation (22.12.2011)

EDRi-gram: US continue pushing on EU Commission against Data Protection
proposals (18.01.2012)

(Contribution by Kirsten Fiedler – EDRi)