Feeds

Biz barons jumpy over EU draft data protection reforms

Might they be wanting their pre-ticked boxes back?

High performance access to file storage

An MEP's suggested reforms to EU data protection laws, which are to be put to a vote before the European Parliament, would damage the interests of businesses, an alliance of business groups has said.

In a statement, the Industry Coalition for Data Protection (ICDP) criticised the draft report that Jan-Phillip Albrecht published earlier this week on amendments he believes should be made to an existing draft framework for data protection reform.

The ICDP represents a number of major business trade bodies including the American Chamber of Commerce EU, the Japan Business Council in Europe, the Internet Advertising Bureau (IAB) Europe and the Software Alliance.

"The Industry Coalition for Data Protection (ICDP) continues to support the European Union's (EU) efforts to update privacy rules to 21st century standards," the ICDP said. "We regret, however, that after months of consultation, the draft report published by the rapporteur, Jan Philipp Albrecht, MEP, missed an opportunity to reconcile effective privacy safeguards with rules protecting the conduct of business—both fundamental rights under the EU charter."

"We urge members of the European Parliament, starting with the LIBE (Civil Liberties, Justice and Home Affairs) Committee, to take into account the important contributions emanating from other committees, and to enact legislation that maintains user trust while encouraging innovation and entrepreneurship in Europe. Achieving this result will require a thorough examination of the proposal and should not be rushed," it added.

Jan-Philipp Albrecht is a rapporteur for the European Parliament's LIBE Committee on the proposed EU data protection reforms. In January 2012 the European Commission unveiled plans for a new General Data Protection Regulation. The Commission hopes the Regulation will provide a single framework for data protection across the EU and replace the existing Data Protection Directive which has been in place since 1995 and which has been implemented differently across EU member states.

In his report Albrecht detailed amendments he would like to see made to the Commission's draft proposals. The report was dubbed as lacking in "depth and balance" by liberal MEP Alexander Alvaro who warned that, as a consequence, "a lot of work still needs to be done".

Some of the most significant amendments Albrecht has proposed relate to the issue of "consent". Obtaining individuals' consent is one way businesses can justifiably process personal data.

Under the Commission's proposed regime, organisations seeking to rely on individuals' consent in order to process their personal data would be required to ensure that that consent was explicit, freely given, specific and informed and obtained through a statement or "clear affirmative action".

Under Albrecht's proposals, businesses would not be able to use "pre-ticked boxes" to gain individuals' consent for the processing of their personal data.

"The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent," Albrecht said.

Albrecht also recommended change the terms around the proof businesses would have to show to demonstrate that they have individuals' consent to the processing. In addition, he has said that businesses that dominate in the markets they operate in should not be able to make unilateral and nonessential changes to consumers' contracts if consumers have "no option other than to accept the change or abandon an online resource in which they have invested significant time".

New rules relating to consent to pseudonymised data processing were also suggested by Albrecht, while the MEP also sought to define what should constitute "anonymised data" and fall outside the scope of the new legal framework.

In addition Albrecht also laid out major amendments to rules that would affect businesses that seek to rely on their overriding "legitimate interests" in processing personal data to justify not having to obtain individuals' consent to the activity. Organisations can legitimately process personal data without obtaining individuals' consent under certain circumstances, including if the "legitimate interests" of the organisations outweigh the fundamental rights of the individuals concerned.

However, Albrecht has proposed that companies should only be able to rely on the "legitimate interests" provisions in "exceptional circumstances". The rapporteur also laid out new rules that set out examples of when organisations' "legitimate interests" could be said to outweigh individuals' rights, and vice versa. Albrecht claimed that the draft amendments "give clearer guidance and provide legal certainty for data processing based on the legitimate interest of the data controller".

Other changes Albrecht proposed included increasing the time limit businesses would have to report data breaches to regulators from 24 hours, which the Commission proposed, to 72 hours. In addition, Albrecht said that the requirement to appoint a dedicated data protection officer should not be imposed on companies with more than 250 employees but rather on firms that process the personal data of more than 500 individuals each year.

"In the age of cloud computing, where even very small controllers can process large amounts of data through online services, the threshold for the mandatory designation of a data protection officer should not be based on the size of the enterprise, but rather on the relevance of data processing," Albrecht said. "This includes the categories of personal data processed, the type of processing activity, and the number of individuals whose data are processed."

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

3 Big data security analytics techniques

More from The Register

next story
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Whoever you vote for, Google gets in
Report uncovers giant octopus squid of lobbying influence
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.