Many amendments proposed by Liberal Democrat MEP Baroness Ludford to the Data Protection Regulation would leave us with less control of our personal information. In this post, we focus on consent and loopholes.
Yesterday we wrote about Baroness Ludford's amendment to the Data Protection Regulation (amendment number 1210) that would mean your data could be transferred to a third country or international organisation without you being told. In the light of the PRISM revelations, we suggested this amendment should be withdrawn.
Baroness Ludford proposed a number of other amendments that we believe would seriously weaken the Regulation and undermine the control people have over their data. In this post, we focus on two other topics – consent, and loopholes. (Overall the Baroness proposed 113 amendments – you can read them all on LobbyPlag.eu. EDRi have analysed all the amendments too.)
The draft Regulation defines consent as having to be 'explicit'. However, in her proposed amendment 762, the Baroness removes words including 'explicit', leaving us with a much weaker definition. Here is the amendment:
Article 4 – paragraph 1 – point 8
(8) ‘the data subject’s consent’ means any freely given specific, [DELETED: informed and explicit] [INSERTED: and informed] indication of his or her wishes by which the data subject, [DELETED either by a statement or by a clear affirmative action,] signifies agreement to personal data relating to them being processed;
Consent is one of the legal bases of processing. It is frequently abused, especially online, where collection is often based on vague or confusing language. Sometimes businesses say it is enough that someone's behaviour – for example signing up to a website – implies that they consent to the use of their data.
Removing the word 'explicit' or by replacing the definition with more vague language would allow companies to continue to assume consent has been given. They would be able to continue to assume you have 'implied' your consent, or to include consent language in hard to understand terms and conditions. Implied consent is effectively what we have now in the UK, and it has allowed companies to basically make it up as they go along.
As we mentioned yesterday, in an article for LibDem Voice Baroness Ludford cites the European consumer BEUC's position on consent in support of her position. In a response sent to members of the LIBE Committee, BEUC have been strongly critical, adding that it was 'to their dismay...that...(she) referred to our position on ‘consent’ in isolation and without referring to the points included in the BEUC position.” BEUC go on to say that other amendments proposed by the Baroness would “systematically reduce the level of protection that consumers in the UK and elsewhere enjoy”.
2. Creating broad loopholes
The proposed Regulation as it stands would also make sure that those wishing to gather and use data can only do so if they satisfy one of six grounds. Amendments that widen these grounds create a risk that it will be too easy for businesses or organisations to use data in ill-defined ways, or in ways that people can't control.
Some of the Baroness' amendments do just that. Amendment 862 would permit processing simply on the basis of industry codes of practice – taking your consent away from you on the basis of an agreement put together by businesses – for example, advertising companies – in which they merely promise to play by the rules.
Article 6 – paragraph 1 – point c
(c) processing is necessary for compliance with a legal obligation [INSERTED: or regulatory rule or industry code of practice, either domestically or internationally,] to which the controller is subject;
Further, we are concerned about amendment 876, which potentially means that data controllers – meaning Facebook, Google or Experian – could make assumptions about what people's 'legitimate expectations' regarding the efficient delivery of a service are, and to use personal data on that basis. This should not be a decisions in the hands of the data controller.
Article 6 – paragraph 1 – point f
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller [INSERTED: such as to detect crime or to prevent crime, fraud, loss or harm or to meet the legitimate expectations of the data subject in the efficient delivery of the service], except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
There are two further reasons, on top of amendment 1210, that we remain concerned about the damage the Baroness' amendments will do to our privacy rights. We do not believe this is an overreaction. We'll post some more tomorrow.
You can contact your MEPs on our campaign website to ask them to respect our privacy rights - just visit NakedCitizens.eu.