The current proposals are a stronger and more enforceable assertion of existing principles. The Regulation outlines a number of measures that would give people more control over their data and make sure businesses that handle data play by the rules, ensuring they are held to account for their data practices.
Below is a brief overview of some of the key issues. These fall into three categories: the scope of the law; the rights of the data subject; and the obligations on those who collect and use personal information.
We have a also produced an analysis of the amendments (pdf) proposed by MEPs that contain language written by industry lobbyists, as revealed by the website LobbyPlag.eu. This gives more detail on the arguments currently taking place about the Regulation.
1. The scope of the law
The strength of the Regulation depends on the definition of what constitutes a data subject and personal data (see Article 4). It is becoming increasingly possible to identify a person using less and less data, or to “re-identify” someone from data previously considered anonymous. Data controllers increasingly rely upon on data drawn from several sources, making 'pseudonymising' or 'anonymising' data difficult if not impossible to achieve in practice.
But a number of amendments would exclude pseudonymous and anonymous data, or reduce the requirements on those who process that category of information. We think the same standards should apply to all data that can be used to single people out.
The “legitimate interests” of the data controller is one of the grounds upon which data can be processed (Article 6(1)(f)). It means that processing of information can take place if is in the 'legitimate interest' of the data controller. There is a similar provision in the current law, and this has led to widespread abuse and processing of data to which the data subject did not consent. (For more information and examples of how the 'legitimate interests' ground can be abused, see the analysis by Bits of Freedom.)
Some of the amendments proposed by industry, via MEPs, in the Committees would make this situation even worse by broadening the provision to the “legitimate interest” of a third party. The original draft Regulation does not mention the legitimate interest of a third party, only a controller. That would make an already big loop hole even more broad and permit all sorts of processing without the consent of the individual.
2. Rights of the data subject
(Article 4(8) and Article 6)
Consent is one of the six legal grounds on which personal data may be processed. To make this meaningful, consent needs to be explicit, informed and freely given - meaning that people must be fully aware of what they are consenting to, be given an opportunity to make a clear and explicit choice, and not be forced into giving away their data.
Some amendments look to weaken what consent would mean, for instance removing the word 'explicit" or weakening the principle that consent should be freely given.
There are new, stronger rights to request the deletion of personal data held about you (see Article 17). The right to be forgotten basically means those organisations that collect data. such as social networks, will have to comply with your requests to delete your personal information. This would help hold controllers to account and empower data subjects to have control over their own data.
There are limitations to this where deletion impacts upon freedom of expression, public health, some forms of public interest research and compliance with a legal obligation.
This would allow people to request their personal data back and if they wish transfer it to another service. (See Article 18)
Data portability would give people more meaningful control over their data, help them avoid ‘lock in’ to particular services and will as a result help drive competition.
Some industry lobbyists claim that this will be too expensive and difficult. However, this is unlikely to be a significant burden and the benefits to consumers would be great. The UK's Department for Business, Innovation and Skills are currently promoting a similar initiative, called Midata. The Department estimates significant consumer benefits. Many businesses are taking part in the scheme.
3. Obligations on those who collect and use personal information
In the 'big data' age it is imperative that those who gather and use personal information know that if they break the rules, there will be meaningful consequences. That is why it is really important to have serious financial punishments for abuse (See Article 79(5)). Without them, the Regulation will lack force.
Some amendments look to either reduce the level of possible fines or introduce conditions that would significantly weaken the fines' cautionary or punitive effect.
This would mean that people who collect and use data would have to notify the data subject and the relevant regulator, without undue delay (see Articles 31 and 32). A mandatory data breach notification should be welcomed, given the potentially serious nature of such breaches. People should have the right to know when there have been mistakes handling their personal data.
The requirements as written in the Regulation to notify the data subject and the regulatory authority in good time seem clear and proportionate.
A EU-wide coalition of civil society groups have joined together to fight for a strong Regulation - you can find out more at www.privacycampaign.eu/
For more information contact Peter Bradwell: firstname.lastname@example.org