Biz barons jumpy over EU draft data protection reforms
Might they be wanting their pre-ticked boxes back?
An MEP's suggested reforms to EU data protection laws, which are to be put to a vote before the European Parliament, would damage the interests of businesses, an alliance of business groups has said.
In a statement, the Industry Coalition for Data Protection (ICDP) criticised the draft report that Jan-Phillip Albrecht published earlier this week on amendments he believes should be made to an existing draft framework for data protection reform.
The ICDP represents a number of major business trade bodies including the American Chamber of Commerce EU, the Japan Business Council in Europe, the Internet Advertising Bureau (IAB) Europe and the Software Alliance.
"The Industry Coalition for Data Protection (ICDP) continues to support the European Union's (EU) efforts to update privacy rules to 21st century standards," the ICDP said. "We regret, however, that after months of consultation, the draft report published by the rapporteur, Jan Philipp Albrecht, MEP, missed an opportunity to reconcile effective privacy safeguards with rules protecting the conduct of business—both fundamental rights under the EU charter."
"We urge members of the European Parliament, starting with the LIBE (Civil Liberties, Justice and Home Affairs) Committee, to take into account the important contributions emanating from other committees, and to enact legislation that maintains user trust while encouraging innovation and entrepreneurship in Europe. Achieving this result will require a thorough examination of the proposal and should not be rushed," it added.
Jan-Philipp Albrecht is a rapporteur for the European Parliament's LIBE Committee on the proposed EU data protection reforms. In January 2012 the European Commission unveiled plans for a new General Data Protection Regulation. The Commission hopes the Regulation will provide a single framework for data protection across the EU and replace the existing Data Protection Directive which has been in place since 1995 and which has been implemented differently across EU member states.
In his report Albrecht detailed amendments he would like to see made to the Commission's draft proposals. The report was dubbed as lacking in "depth and balance" by liberal MEP Alexander Alvaro who warned that, as a consequence, "a lot of work still needs to be done".
Some of the most significant amendments Albrecht has proposed relate to the issue of "consent". Obtaining individuals' consent is one way businesses can justifiably process personal data.
Under the Commission's proposed regime, organisations seeking to rely on individuals' consent in order to process their personal data would be required to ensure that that consent was explicit, freely given, specific and informed and obtained through a statement or "clear affirmative action".
Under Albrecht's proposals, businesses would not be able to use "pre-ticked boxes" to gain individuals' consent for the processing of their personal data.
"The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent," Albrecht said.
Albrecht also recommended change the terms around the proof businesses would have to show to demonstrate that they have individuals' consent to the processing. In addition, he has said that businesses that dominate in the markets they operate in should not be able to make unilateral and nonessential changes to consumers' contracts if consumers have "no option other than to accept the change or abandon an online resource in which they have invested significant time".
New rules relating to consent to pseudonymised data processing were also suggested by Albrecht, while the MEP also sought to define what should constitute "anonymised data" and fall outside the scope of the new legal framework.
In addition Albrecht also laid out major amendments to rules that would affect businesses that seek to rely on their overriding "legitimate interests" in processing personal data to justify not having to obtain individuals' consent to the activity. Organisations can legitimately process personal data without obtaining individuals' consent under certain circumstances, including if the "legitimate interests" of the organisations outweigh the fundamental rights of the individuals concerned.
However, Albrecht has proposed that companies should only be able to rely on the "legitimate interests" provisions in "exceptional circumstances". The rapporteur also laid out new rules that set out examples of when organisations' "legitimate interests" could be said to outweigh individuals' rights, and vice versa. Albrecht claimed that the draft amendments "give clearer guidance and provide legal certainty for data processing based on the legitimate interest of the data controller".
Other changes Albrecht proposed included increasing the time limit businesses would have to report data breaches to regulators from 24 hours, which the Commission proposed, to 72 hours. In addition, Albrecht said that the requirement to appoint a dedicated data protection officer should not be imposed on companies with more than 250 employees but rather on firms that process the personal data of more than 500 individuals each year.
"In the age of cloud computing, where even very small controllers can process large amounts of data through online services, the threshold for the mandatory designation of a data protection officer should not be based on the size of the enterprise, but rather on the relevance of data processing," Albrecht said. "This includes the categories of personal data processed, the type of processing activity, and the number of individuals whose data are processed."
Copyright © 2012, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.
Sponsored: Flash storage buyer's guide