Well I have just had a speed read of the leaked amendments that are being debated by the European Parliament today (see references). The general impression is that the Snowden revelations about the NSA has strengthened the Parliament’s view on the provisions that relate to the protection of data subjects when there is data sharing with the authorities.
I have also concluded that all that lobbying by corporate USA and Internet business has come to very little. They have very little to show for their efforts; I suspect courtesy of the NSA issues. The latest revelations concerning NSA surveillance on the French has just reinforced the "mood music" in favour of a stronger Regulation that protects data subjects.
We now know that the European Parliament has accepted these compromise proposals. The next question is whether the Council of Ministers will also converge to a final text, and if so, there will be another round of compromises to produce a final text. The European Commission could also produce another text. All it needs is for these two or three texts to be reconciled, we will then have a finished text; the Regulation is "on" so to speak.
As is well known, the Council of Ministers are gutting the Commission's original text (see references) and is moving in a less prescriptive direction with more flexibility for Member States; by contrast, the Parliamentary amendments tweak the text in a less prescriptive direction but adds more prescription in places.
In other words, there is a large gulf between the two compromise texts and a lot that can go wrong before a final compromise is reached.
Anyway – here goes. What caught my eye in these Parliamentary amendments – with very little comment.
Leading the headlines will be the following mega-fine provision in the reorganised Article 79; just read on.
“To anyone who does not comply with the obligations laid down in this Regulation, the supervisory authority shall impose at least one of the following sanctions:
a) a warning in writing in cases of first and non-intentional non-compliance;
b) regular periodic data protection audits;
c) a fine up to 100 000 000 EUR or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is greater.”
The mega-fine (which has certain tax avoiding, NSA data sharing, corporate USA companies in mind - no prizes for guessing) is mitigated if the controller or the processor is in possession of a valid "European Data Protection Seal”. There are a number of amendments to the Regulation that promote such Seals of approval (rather like a data protection kite-mark).
There is a definition of pseudonymous data: “Pseudonymous data' means personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution”.
The important point of this definition is that 'pseudonymous data' is definitely personal data (i.e. subject to the rights especially the right to object to the processing). The intent is to mitigate some of the Regulation’s provisions and make the processing obligations less onerous.
Article 10(1), for instance, states that . “If the data processed by a controller … consist only of pseudonymous data, the controller shall not process or acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation”.
The next provision provides for an exemption that states that “Where the data controller is unable to comply with a provision of this Regulation” (because of A.10(1)), then the controller shall not be obliged to comply with that particular provision of this Regulation”.
Personally, I am not sure this works in the way the drafters intend; more of that perhaps in a later blog. I suspect it could be a very large exemption.
Sensitive personal data is extended to include what we have already in the UK Act and adds: philosophical beliefs, sexual orientation, gender identity, trade-union activities, biometric data administrative sanctions, judgments and suspected offences.
However, data controllers will be pleased to know that sensitive personal data can be processed if “processing is necessary for the performance or execution of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. In UK DPA terms there will be a general Schedule 3 condition covering "necessary for a contract".
There are new limits to data subject's consent:
• “Consent shall be purpose-limited and shall lose its validity when the purpose ceases to exist or as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were originally collected”.
• “The execution of a contract or the provision of a service shall not be made conditional on the consent to the processing of data that is not necessary for the execution of the contract or the provision of the service”.
• As well as the burden of proof that the data subject has consented; it shall also be “as easy to withdraw consent as to give it” and the “data subject shall be informed by the controller if withdrawal of consent may result in the termination of the services provided or of the relationship with the controller”.
There are several changes to the Principles as we know them in the UK. There is
• an obligation to ensure that personal data are “processed in a way that effectively allows the data subject to exercise his or her rights (effectiveness)” (see this as a change to the UK 6th Principle);
• a reformulated Accountability Principle (a data controller “shall ensure and be able to demonstrate compliance with the provisions of this Regulation (accountability)” (The Council of Ministers dropped this).
The balance of interest grounds for the processing (e.g. in First Principle, Para 6, Schedule 2) from the data controller's perspective has an additional limitation: “the processing is necessary for the purposes of the legitimate interests pursued by a controller or … by the third party to whom the data is disclosed” where that interest has to “meet the reasonable expectations of the data subject based on his or her relationship with the controller….”. Public authorities cannot justify processing in terms of this ground
The data subject’s fair processing essay (or notice) is extended to include additional items (take a deep breath): “information regarding the security of the processing of personal data, the existence or absence of an adequacy decision the existence; where applicable, information about the existence of profiling, of measures based on profiling, and the envisaged effects of profiling on the data subject; meaningful information about the logic involved in any automated processing; in particular the existence of certain processing activities and operations for which a personal data impact assessment has indicated that there may be a high risk; and where applicable, information whether personal data was provided to public authorities during the last consecutive 12-month period”.
There is also the introduction of a pre-fair processing notice. Data subjects should be able to access “standardised information policies” which describe “where personal data relating to a data subject are collected”. The controller has to provide the data subject with the following particulars:
“a) whether personal data are collected beyond the minimum necessary for each specific purpose of the processing;
b) whether personal data are retained beyond the minimum necessary for each specific purpose of the processing;
c) whether personal data are processed for purposes other than the purposes for which they were collected;
d) whether personal data are disseminated to commercial third parties;
e) whether personal data are sold or rented out;
f) whether personal data are retained in encrypted form”.
There is a Privacy by Design Principle. “The controller shall ensure implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected, or retained or disseminated beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals and that data subjects are able to control the distribution of their personal data”.
Security Principle includes mandated details about security policies. Such a “policy shall include:
(a) the ability to ensure that the integrity of the personal data is validated;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data;
(c) the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident that impacts the availability, integrity and confidentiality of information systems and services;
(d) in the case of sensitive personal data processing … additional security measures to ensure situational awareness of risks and the ability to take preventive, corrective and mitigating action in near real time against vulnerabilities or incidents detected that could pose a risk to the data;
(e) a process for regularly testing, assessing and evaluating the effectiveness of security policies, procedures and plans put in place to ensure ongoing effectiveness.
Any personal data loss has to be reported to Regulator without “undue delay” but the “The supervisory authority shall keep a public register of the types of breaches notified”.
The Regulation includes the concept of “Lifecycle Data Protection Management”. For instance a Privacy Impact Assements extended and includes a risk assessment. The Regulation then states that: “The following processing operations are likely to present specific risks:
(a) processing of personal data relating to more than 5000 data subjects during any consecutive 12-month period;
(b) processing of special categories of personal data …(in the UK these data are sensitive personal data)… location data or data on children or employees in large scale filing systems;
(c) profiling on which measures are based that produce legal effects concerning the individual or similarly significantly affect the individual;
(d) processing of personal data for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;
(e) automated monitoring of publicly accessible areas on a large scale;
(f) other processing operations for which the consultation of the data protection officer or supervisory authority is required pursuant to point (b) of Article 34(2);
(g) where a personal data breach would likely adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject;
(h) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects;
(i) where personal data are made accessible to a number of persons which cannot reasonably be expected to be limited.
Most data controller will have to have a designated Data Protection Officer (e.g. where "the processing is carried out by a legal person and relates to more than 5000 data subjects in any consecutive 12-month period") . This mandatory DPO provision was dropped by the Council of Ministers in their textual discussions.
Exemptions are much reduced (almost to those in Article 12 of Directive 95/46/EC) whereas the Council of Ministers have widened them. However, the domestic purpose exemption is amended so that it applies to the “publication of personal data where it can be reasonably expected that it will be only accessed by a limited number of persons” (e.g. to accommodate users of social media).
The "right to forget" is forgot; instead there is an extended right of erasure which considers freedom of speech issues.
With respect to consistency and the European Commission’s powers, it appears that the following has happened.
• The European Data Protection Board determines the data protection standards
• Member States can have flexibility to modify certain provisions in accordance with national culture, traditions, culture etc
• European Commission’s role looks as if it is limited to when a Member State misuses that flexibility
Hope you find this useful. If you think I have missed something important, can you post a comment.
This is being discussed at UPDATE (next Monday) and our Data Protection Regulation half day (for details; follow the links bottom left of side panel). Places still available (and to the launch of Amberhawk Associates).
European Parliament amendments leak: http://www.edri.org/eudatap-leak
Recent blogs on the Regulation