Brief overview of the leaked EU Data Protection Regulation

By EDRi · December 14, 2011

This article is also available in:
Deutsch: [Ein Überblick über die geleakte EU-Datenschutzverordnung |]

Last week, Europe was able to get a first glance at the “General Data
Protection Regulation” thanks to a leak by Statewatch. It is due to be
officially published on 25 January 2012 and will repeal the outdated Data
Protection Directive from 1995. It keeps the Directive’s key principles but
also aims at taking into account the technological developments. It aims at
greater harmonisation and more “coherent” rules: “Differences in the level
of protection of the rights and freedoms of individuals may therefore
constitute an obstacle to the pursuit of economic activities at the level of
the Union, distort competition and impede authorities in the discharge of
their responsibilities under Union law.”

The draft regulation introduces new rights and new definitions. Sensitive
data are now redefined to cover genetic and biometric data. The definition
of a data subject is mildly extended to a person who can be identified
directly or indirectly by the controller or “any natural or legal person”.
New rights include clearer rights on data portability. It also introduces
mandatory reporting of data breaches as well as new competences and powers
for supervisory authorities in terms of independence and capacity. Moreover,
the regulation (article 63) establishes a European Data Protection Board
which is going to replace the existing Article 29 Working Party.

Article 2 of the Regulation defines the scope and states that it also
“applies to the processing of personal data of data subjects residing in the
Union not carried out in the context of the activities of an establishment
of a controller in the Union, where the processing activities are directed
to such data subjects, or serve to monitor the behaviour of such data
subjects.” It will thus apply to businesses that have entities in Europe,
use equipment in the EU to process data or who have data processing
activities directed to EU data subjects or served to monitor their

Users can still make requests to access their data and ask for erasure. This
“right to be forgotten” (Art. 15) is basically a re-packaging of the already
existing right to deletion after the purpose has been fulfilled (Art. 12 of
Directive 95/46/EC). The current draft proposal goes further than the 1995
Directive proposing the right to erasure if the data are no longer necessary
or if the data subject withdraws his/her consent, including the right to
erasure of any public Internet link to, copy or replication of personal data
relating to the data subject in any public communication service. This
especially applies “in relation to personal data which are made available by
the data subject while he or she was a child”.

It has already been argued that the article on the right to be forgotten was
not particularly well drafted and could therefore have serious and obviously
unintended implications for freedom of speech. Even though one of the aims
of this article is to counter the loss of purpose limitations in social
media, it must be carefully drafted to avoid its potential misuse as a tool
for censorship. It has also been criticised as data controllers, for
instance blogs or other independent media that do not comply with the ‘right
to be forgotten’, could be fined between 500 and 600 000 Euros.

One of the elements of the draft regulation that can be applauded is
represented by articles 37 and 42 which regulate data processing by third
countries. Data can be transferred to a third country only if certain
criteria are met to ensure the level of protection of individuals for the
protection of personal data. Article 42 addresses extra-territorial actions
by third countries such as the USA Patriot Act and the USA Foreign
Intelligence Surveillance Act and imposes barriers for foreign judicial
authorities to access European data. This article is particularly
interesting with regard to the US requests for European data such as the
request for twitter account details of European citizens that might be
related to WikiLeaks.

Proposal for a Regulation on the protection of individuals with
regard to the processing of personal data and on the free movement of such
data (General Data Protection Regulation)

9 Reasons Why a ‘Right to be Forgotten’ is Really Wrong (8.12.2011)

A quick review of the draft EU Data Protection Regulation- Privacy
International (8.12.2011)

(Contribution by Kirsten Fiedler – EDRi)