Feeds

Biz barons jumpy over EU draft data protection reforms

Might they be wanting their pre-ticked boxes back?

The Power of One Infographic

An MEP's suggested reforms to EU data protection laws, which are to be put to a vote before the European Parliament, would damage the interests of businesses, an alliance of business groups has said.

In a statement, the Industry Coalition for Data Protection (ICDP) criticised the draft report that Jan-Phillip Albrecht published earlier this week on amendments he believes should be made to an existing draft framework for data protection reform.

The ICDP represents a number of major business trade bodies including the American Chamber of Commerce EU, the Japan Business Council in Europe, the Internet Advertising Bureau (IAB) Europe and the Software Alliance.

"The Industry Coalition for Data Protection (ICDP) continues to support the European Union's (EU) efforts to update privacy rules to 21st century standards," the ICDP said. "We regret, however, that after months of consultation, the draft report published by the rapporteur, Jan Philipp Albrecht, MEP, missed an opportunity to reconcile effective privacy safeguards with rules protecting the conduct of business—both fundamental rights under the EU charter."

"We urge members of the European Parliament, starting with the LIBE (Civil Liberties, Justice and Home Affairs) Committee, to take into account the important contributions emanating from other committees, and to enact legislation that maintains user trust while encouraging innovation and entrepreneurship in Europe. Achieving this result will require a thorough examination of the proposal and should not be rushed," it added.

Jan-Philipp Albrecht is a rapporteur for the European Parliament's LIBE Committee on the proposed EU data protection reforms. In January 2012 the European Commission unveiled plans for a new General Data Protection Regulation. The Commission hopes the Regulation will provide a single framework for data protection across the EU and replace the existing Data Protection Directive which has been in place since 1995 and which has been implemented differently across EU member states.

In his report Albrecht detailed amendments he would like to see made to the Commission's draft proposals. The report was dubbed as lacking in "depth and balance" by liberal MEP Alexander Alvaro who warned that, as a consequence, "a lot of work still needs to be done".

Some of the most significant amendments Albrecht has proposed relate to the issue of "consent". Obtaining individuals' consent is one way businesses can justifiably process personal data.

Under the Commission's proposed regime, organisations seeking to rely on individuals' consent in order to process their personal data would be required to ensure that that consent was explicit, freely given, specific and informed and obtained through a statement or "clear affirmative action".

Under Albrecht's proposals, businesses would not be able to use "pre-ticked boxes" to gain individuals' consent for the processing of their personal data.

"The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent," Albrecht said.

Albrecht also recommended change the terms around the proof businesses would have to show to demonstrate that they have individuals' consent to the processing. In addition, he has said that businesses that dominate in the markets they operate in should not be able to make unilateral and nonessential changes to consumers' contracts if consumers have "no option other than to accept the change or abandon an online resource in which they have invested significant time".

New rules relating to consent to pseudonymised data processing were also suggested by Albrecht, while the MEP also sought to define what should constitute "anonymised data" and fall outside the scope of the new legal framework.

In addition Albrecht also laid out major amendments to rules that would affect businesses that seek to rely on their overriding "legitimate interests" in processing personal data to justify not having to obtain individuals' consent to the activity. Organisations can legitimately process personal data without obtaining individuals' consent under certain circumstances, including if the "legitimate interests" of the organisations outweigh the fundamental rights of the individuals concerned.

However, Albrecht has proposed that companies should only be able to rely on the "legitimate interests" provisions in "exceptional circumstances". The rapporteur also laid out new rules that set out examples of when organisations' "legitimate interests" could be said to outweigh individuals' rights, and vice versa. Albrecht claimed that the draft amendments "give clearer guidance and provide legal certainty for data processing based on the legitimate interest of the data controller".

Other changes Albrecht proposed included increasing the time limit businesses would have to report data breaches to regulators from 24 hours, which the Commission proposed, to 72 hours. In addition, Albrecht said that the requirement to appoint a dedicated data protection officer should not be imposed on companies with more than 250 employees but rather on firms that process the personal data of more than 500 individuals each year.

"In the age of cloud computing, where even very small controllers can process large amounts of data through online services, the threshold for the mandatory designation of a data protection officer should not be based on the size of the enterprise, but rather on the relevance of data processing," Albrecht said. "This includes the categories of personal data processed, the type of processing activity, and the number of individuals whose data are processed."

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Boost IT visibility and business value

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
Major problems beset UK ISP filth filters: But it's OK, nobody uses them
It's almost as though pr0n was actually rather popular
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.