Following the lead of the Committee on Civil Liberties, Justice and Home Affairs (LIBE), which already released its draft report (see our prior blog), 20 February, the European Parliament Committee on Industry, Research and Energy (ITRE Committee) published its Draft Opinion on the proposed General Data Protection Regulation (the “Regulation”). This opinion has been submitted to LIBE, which has the task of consolidating amendments and voting on its own report at the end of April.
In the Draft Opinion, rapporteur Seán Kelly outlined his substantial support for the European Commission (“the Commission”) proposal suggesting that the changes should help avoid excessive administrative burdens for enterprises, and introduce a greater degree of flexibility, especially in terms of accountability and the notification requirements to supervisory bodies. The ITRE Committee, however, proposed significant amendments to the Regulation in an attempt to ease restrictions on companies by focusing on corporate governance, the use of impact assessments, and bringing increased clarity to the provisions. It has recommended significant alterations to the most contentious provisions, such as consent mechanisms; the rights of access, portability, and to be forgotten; the 24-hour breach notification requirement; and the sanctions regime.
Stressing the potential for over-reliance on consent, the ITRE Committee felt the overuse of consent may be unhelpful or even damaging to privacy protection, and would prefer that consent not be seen as the “primary or most desirable means of legitimising the processing of personal data.” Instead, the ITRE Committee would prefer that use of consent be limited to where necessary in the correct context, for instance, when “only when data subjects can meaningfully and easily provide and revoke it.” Furthermore, the ITRE Committee also suggested that the consent should be proportionate given the type of personal data being processed and the purpose as determined “through an appropriate impact assessment.” Where no impact assessment is conducted, the ITRE Committee envisages that a default requirement of explicit, informed consent would continue to apply. This recommendation could result in implied consent being available as method of processing data, such as when an individual seeks the services of an organisation where no contract is entered. The ITRE Committee also proposed that broad consent with an option to withdraw it at any point should be offered in case of historical, statistical or scientific research purposes. This, however, could set a dangerous precedent for scientific research, which often relies on de-identified data and can be crucial to development of new products, especially were the research stemmed from secondary uses of data. The ITRE Committee’s proposal on consent has been highly criticised by the international advocacy group European Digital Rights (EDRi), which pointed out that creating different categories of consent could confuse users as well as controllers, leading to legal uncertainty.
Addressing the scope of anonymisation, the ITRE Committee goes one step further than Rapporteur Jan Philip Albrecht in LIBE’s report by proposing stand-alone definitions of anonymous and pseudonymous data. This aims to achieve greater legal certainty and to encourage the utilisation of these methods in protecting personal data. Under the proposed definitions, anonymous data would mean “any information that has never been related to a data subject or have been (…) processed so that it cannot be attributed to a data subject.” Pseudonymous data would mean “any personal data that has been (…) processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution.” In relation to statistical and public health data, the ITRE Committee recommends including a provision that such data be made anonymous immediately after the collection, checking or matching. This would apply unless the identification data remains necessary for statistical and public health purposes, such as epidemiological, translational and clinical research.
Regarding the contentious right to be forgotten, the ITRE Committee takes the view that given the nature of the Internet, which enables data to be freely and easily disseminated, it is unrealistic to expect data controllers to be able to locate and erase personal data which has been made public. The UK Information Commissioner (“ICO”) in its article-by-article analysis (see our blog on the topic) of the proposed Regulation likewise warned that it can be impossible to remove information from the Internet, and that the right to be forgotten could in fact “mislead individuals as to the degree of protection the law can offer them in practise.” Consequently, the ITRE Committee suggested preserving the general right to be forgotten, but removing the excessively onerous clause detailing obligations on the controller to take all reasonable steps to erase personal data that has been made public.
In an effort to further reduce the burden on data controllers, the ITRE Committee advised that the duty to comply with data subjects’ requests for erasure and the right to data portability of their individual personal data, should be limited “to the extent technically or practically feasible for the controller.” EDRi criticised these proposed amendments, and suggested that if controllers cannot delete the data, they should be inspected by their competent data protection authority rather than be offered an exemption.
Significant concerns have been raised by data controllers over the right to data portability undermining businesses’ legitimate interests to protect intellectual property rights and trade secrets. The ITRE Committee also considered the threat that the measure may enable identity theft if proper safeguards are not built in. This has led the ITRE Committee to limit the scope of the relevant article by providing that the right to data portability “shall not adversely affect the rights and freedoms of others, including trade secrets or intellectual property rights.” Again, EDRi criticised the proposed change, arguing that the right to portability is “a slight extension of the right to access,” and would pose no real threat to trade secrets of any platform providers.
The ITRE Committee was also concerned with the proper electronic format of the transmission of personal data, which under current wording of the proposed Regulation would be set by the Commission. There were some suggestions that this should be established by reference to a harmonised industry standard instead with responsibility to determine the format given to organisations.
In reviewing the highly criticised notification period for a personal data breach, the ITRE Committee echoed the sentiment of the ICO, by indicating that a fixed 24-hour timescale for reporting the breach to the appropriate national supervisory body is unrealistic. Instead, it is suggested that the data controller notify the personal data breach without undue delay, and only when the consequences of the breach have a potential to “seriously threaten the rights or legitimate interests” of the data subject. This reflects the ITRE Committee’s preference of a risk-based approach to the issue. Additionally, the ITRE Committee believes that the proposed requirement of authorisation prior to the processing of personal data, which would be new to many data protection authorities, including the ICO, could result in a misallocation of resources and create a significant burden, and consequently recommended that the provision be removed. Similarly, the ITRE Committee advocates a risk-based approach to prior consultation, suggesting that this requirement should apply only when the data controller plans to process “special categories of personal data” which have a higher sensitivity. EDRi also criticised both proposals and advocates adopting a comprehensive notification obligation coupled with a fixed deadline, on the basis that it would allegedly place more pressure on the controller to prevent any data breaches.
The proposed reforms will bring about a significant increase in the sanctions for breach of data protection laws. The ITRE Committee believe that these should be easily referenced in a single provision which would allow the supervisory authority discretion, rather than a bright line requirement to issue a fine, to impose a sliding scale of enforcement actions, from the issuance of a warning without imposing a sanction, and for repeated, deliberate breaches, a fine of €1 million or up to 1% of its annual worldwide turnover for companies. The ITRE Committee feel that the sensitivity of the data should also be considered when assessing the amount of the fine.
The ITRE Committee showed support for the idea that special treatment should be given to small and medium-sized enterprises (SMEs). It voted to expand the approach in the current draft of the Regulation, which provides for a number of exemptions for SMEs.
In relation to the powers of the Commission to adopt delegated acts, the ITRE Committee opined that delegated acts will be overly prescriptive and may not be necessary in the majority of provisions where they are currently proposed.
The ITRE Committee’s Draft Opinion has also been criticised on the basis that it was in some cases a wholesale cut and paste of various lobbying provisions, so it will be interesting to see how the Committee on Civil Liberties, Justice and Home Affairs responds since it has prime responsibility for getting the Regulation through the European Parliament. Let’s hope the ITRE Committee’s Draft Opinion has a positive impact with the Regulation being less prescriptive and less burdensome on organisations, while still harmonising provisions and preserving individuals’ rights.