Feeds

Biz barons jumpy over EU draft data protection reforms

Might they be wanting their pre-ticked boxes back?

Boost IT visibility and business value

An MEP's suggested reforms to EU data protection laws, which are to be put to a vote before the European Parliament, would damage the interests of businesses, an alliance of business groups has said.

In a statement, the Industry Coalition for Data Protection (ICDP) criticised the draft report that Jan-Phillip Albrecht published earlier this week on amendments he believes should be made to an existing draft framework for data protection reform.

The ICDP represents a number of major business trade bodies including the American Chamber of Commerce EU, the Japan Business Council in Europe, the Internet Advertising Bureau (IAB) Europe and the Software Alliance.

"The Industry Coalition for Data Protection (ICDP) continues to support the European Union's (EU) efforts to update privacy rules to 21st century standards," the ICDP said. "We regret, however, that after months of consultation, the draft report published by the rapporteur, Jan Philipp Albrecht, MEP, missed an opportunity to reconcile effective privacy safeguards with rules protecting the conduct of business—both fundamental rights under the EU charter."

"We urge members of the European Parliament, starting with the LIBE (Civil Liberties, Justice and Home Affairs) Committee, to take into account the important contributions emanating from other committees, and to enact legislation that maintains user trust while encouraging innovation and entrepreneurship in Europe. Achieving this result will require a thorough examination of the proposal and should not be rushed," it added.

Jan-Philipp Albrecht is a rapporteur for the European Parliament's LIBE Committee on the proposed EU data protection reforms. In January 2012 the European Commission unveiled plans for a new General Data Protection Regulation. The Commission hopes the Regulation will provide a single framework for data protection across the EU and replace the existing Data Protection Directive which has been in place since 1995 and which has been implemented differently across EU member states.

In his report Albrecht detailed amendments he would like to see made to the Commission's draft proposals. The report was dubbed as lacking in "depth and balance" by liberal MEP Alexander Alvaro who warned that, as a consequence, "a lot of work still needs to be done".

Some of the most significant amendments Albrecht has proposed relate to the issue of "consent". Obtaining individuals' consent is one way businesses can justifiably process personal data.

Under the Commission's proposed regime, organisations seeking to rely on individuals' consent in order to process their personal data would be required to ensure that that consent was explicit, freely given, specific and informed and obtained through a statement or "clear affirmative action".

Under Albrecht's proposals, businesses would not be able to use "pre-ticked boxes" to gain individuals' consent for the processing of their personal data.

"The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent," Albrecht said.

Albrecht also recommended change the terms around the proof businesses would have to show to demonstrate that they have individuals' consent to the processing. In addition, he has said that businesses that dominate in the markets they operate in should not be able to make unilateral and nonessential changes to consumers' contracts if consumers have "no option other than to accept the change or abandon an online resource in which they have invested significant time".

New rules relating to consent to pseudonymised data processing were also suggested by Albrecht, while the MEP also sought to define what should constitute "anonymised data" and fall outside the scope of the new legal framework.

In addition Albrecht also laid out major amendments to rules that would affect businesses that seek to rely on their overriding "legitimate interests" in processing personal data to justify not having to obtain individuals' consent to the activity. Organisations can legitimately process personal data without obtaining individuals' consent under certain circumstances, including if the "legitimate interests" of the organisations outweigh the fundamental rights of the individuals concerned.

However, Albrecht has proposed that companies should only be able to rely on the "legitimate interests" provisions in "exceptional circumstances". The rapporteur also laid out new rules that set out examples of when organisations' "legitimate interests" could be said to outweigh individuals' rights, and vice versa. Albrecht claimed that the draft amendments "give clearer guidance and provide legal certainty for data processing based on the legitimate interest of the data controller".

Other changes Albrecht proposed included increasing the time limit businesses would have to report data breaches to regulators from 24 hours, which the Commission proposed, to 72 hours. In addition, Albrecht said that the requirement to appoint a dedicated data protection officer should not be imposed on companies with more than 250 employees but rather on firms that process the personal data of more than 500 individuals each year.

"In the age of cloud computing, where even very small controllers can process large amounts of data through online services, the threshold for the mandatory designation of a data protection officer should not be based on the size of the enterprise, but rather on the relevance of data processing," Albrecht said. "This includes the categories of personal data processed, the type of processing activity, and the number of individuals whose data are processed."

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Build a business case: developing custom apps

More from The Register

next story
Hello, police, El Reg here. Are we a bunch of terrorists now?
Do Brits risk arrest for watching beheading video nasty? We asked the fuzz
Detroit losing MILLIONS because it buys CHEAP BATTERIES – report
Man at hardware store was right: name brands DO last longer
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
EU justice chief blasts Google on 'right to be forgotten'
Don't pretend it's a freedom of speech issue – interim commish
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
This'll end well: US govt says car-to-car jibber-jabber will SAVE lives
Department of Transportation starts cogs turning for another wireless comms standard
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.