Feeds

Biz barons jumpy over EU draft data protection reforms

Might they be wanting their pre-ticked boxes back?

Boost IT visibility and business value

An MEP's suggested reforms to EU data protection laws, which are to be put to a vote before the European Parliament, would damage the interests of businesses, an alliance of business groups has said.

In a statement, the Industry Coalition for Data Protection (ICDP) criticised the draft report that Jan-Phillip Albrecht published earlier this week on amendments he believes should be made to an existing draft framework for data protection reform.

The ICDP represents a number of major business trade bodies including the American Chamber of Commerce EU, the Japan Business Council in Europe, the Internet Advertising Bureau (IAB) Europe and the Software Alliance.

"The Industry Coalition for Data Protection (ICDP) continues to support the European Union's (EU) efforts to update privacy rules to 21st century standards," the ICDP said. "We regret, however, that after months of consultation, the draft report published by the rapporteur, Jan Philipp Albrecht, MEP, missed an opportunity to reconcile effective privacy safeguards with rules protecting the conduct of business—both fundamental rights under the EU charter."

"We urge members of the European Parliament, starting with the LIBE (Civil Liberties, Justice and Home Affairs) Committee, to take into account the important contributions emanating from other committees, and to enact legislation that maintains user trust while encouraging innovation and entrepreneurship in Europe. Achieving this result will require a thorough examination of the proposal and should not be rushed," it added.

Jan-Philipp Albrecht is a rapporteur for the European Parliament's LIBE Committee on the proposed EU data protection reforms. In January 2012 the European Commission unveiled plans for a new General Data Protection Regulation. The Commission hopes the Regulation will provide a single framework for data protection across the EU and replace the existing Data Protection Directive which has been in place since 1995 and which has been implemented differently across EU member states.

In his report Albrecht detailed amendments he would like to see made to the Commission's draft proposals. The report was dubbed as lacking in "depth and balance" by liberal MEP Alexander Alvaro who warned that, as a consequence, "a lot of work still needs to be done".

Some of the most significant amendments Albrecht has proposed relate to the issue of "consent". Obtaining individuals' consent is one way businesses can justifiably process personal data.

Under the Commission's proposed regime, organisations seeking to rely on individuals' consent in order to process their personal data would be required to ensure that that consent was explicit, freely given, specific and informed and obtained through a statement or "clear affirmative action".

Under Albrecht's proposals, businesses would not be able to use "pre-ticked boxes" to gain individuals' consent for the processing of their personal data.

"The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent," Albrecht said.

Albrecht also recommended change the terms around the proof businesses would have to show to demonstrate that they have individuals' consent to the processing. In addition, he has said that businesses that dominate in the markets they operate in should not be able to make unilateral and nonessential changes to consumers' contracts if consumers have "no option other than to accept the change or abandon an online resource in which they have invested significant time".

New rules relating to consent to pseudonymised data processing were also suggested by Albrecht, while the MEP also sought to define what should constitute "anonymised data" and fall outside the scope of the new legal framework.

In addition Albrecht also laid out major amendments to rules that would affect businesses that seek to rely on their overriding "legitimate interests" in processing personal data to justify not having to obtain individuals' consent to the activity. Organisations can legitimately process personal data without obtaining individuals' consent under certain circumstances, including if the "legitimate interests" of the organisations outweigh the fundamental rights of the individuals concerned.

However, Albrecht has proposed that companies should only be able to rely on the "legitimate interests" provisions in "exceptional circumstances". The rapporteur also laid out new rules that set out examples of when organisations' "legitimate interests" could be said to outweigh individuals' rights, and vice versa. Albrecht claimed that the draft amendments "give clearer guidance and provide legal certainty for data processing based on the legitimate interest of the data controller".

Other changes Albrecht proposed included increasing the time limit businesses would have to report data breaches to regulators from 24 hours, which the Commission proposed, to 72 hours. In addition, Albrecht said that the requirement to appoint a dedicated data protection officer should not be imposed on companies with more than 250 employees but rather on firms that process the personal data of more than 500 individuals each year.

"In the age of cloud computing, where even very small controllers can process large amounts of data through online services, the threshold for the mandatory designation of a data protection officer should not be based on the size of the enterprise, but rather on the relevance of data processing," Albrecht said. "This includes the categories of personal data processed, the type of processing activity, and the number of individuals whose data are processed."

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

The Essential Guide to IT Transformation

More from The Register

next story
Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees
'Greenhouse effect is real, but as for the rest of it ...'
'Blow it up': Plods pop round for chat with Commonwealth Games tweeter
You'd better not be talking about the council's housing plans
Arrr: Freetard-bothering Digital Economy Act tied up, thrown in the hold
Ministry of Fun confirms: Yes, we're busy doing nothing
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
Apple smacked with privacy sueball over Location Services
Class action launched on behalf of 100 million iPhone owners
Adam Afriyie MP: Smart meters are NOT so smart
Mega-costly gas 'n' 'leccy totting-up tech not worth it - Tory MP
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.