On January 10, 2013, the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), Jan Philipp Albrecht, presented his draft report (the “Report”) on the proposed amendments to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) to the LIBE Committee.
The Report includes detailed changes proposed by various stakeholders which Rapporteur Albrecht consolidated and distilled into a single text. The text will form the basis for further LIBE (and other) committee discussions before being voted on by the EU Parliament. This Report is a first draft prepared for one committee of one of the three EU institutions (the European Commission, the Parliament and the Council), and, accordingly, the changes suggested are by no means final.
The main amendments suggested in the Report include the following:
Extended Territorial Scope
The Report expands the application of the Proposed Regulation to non-EU based data controllers to cover all data processing activities aimed at (1) offering goods and services to EU residents (even if they are free of charge), or (2) monitoring EU residents in general (not only their behavior).
Clarification of Key Concepts
The Report clarifies the concept of “personal data” to cover data relating to individuals who can be singled out (not just identified), and also introduces new definitions for terms such as “transfer,” “profiling” and “pseudonyms.”
Changes to the Legal Bases for Data Processing: Legitimate Interest and Consent
The Report limits the scope of the “legitimate interest” legal basis for data processing to “exceptional circumstances,” on the condition that the data controller (1) informs the individuals concerned explicitly and separately, and (2) publishes the reasons for believing that its interests override the interests or fundamental rights and freedoms of the individuals. The Report provides further guidance on the circumstances in which the legitimate interests of the data controller may override the interests or fundamental rights and freedoms of the individuals.
Reinforcement of Data Subjects’ Rights
Individuals’ rights are further reinforced and the obligations on data controllers increased. In particular, the right of access is strengthened to include a right to data portability, and data controllers would be required to provide and communicate their privacy policies using a multi-layered approach. Profiling of individuals also is further restricted. On the other hand, individuals will not be able to invoke the controversial “right to be forgotten” where the publication of their personal data has a legitimate legal basis.
Data Protection Officers
The Report replaces the employee-based criterion for appointing a data protection officer (introduced by the European Commission) with a new test: data controllers would be obliged to appoint a data protection officer if they process personal data relating to more than 500 data subjects per year. This means that even small data controllers would be obliged to appoint a data protection officer if they meet this threshold.
Breach Notification, Fines and Compensation
According to the Report, data breaches should be notified to the National Supervisory Authority within 72 hours, as opposed to the 24 hours initially proposed by the European Commission.
The Report makes several modifications regarding how national supervisory authorities will determine fines. Maximum fines remain tiered in three categories (€250,000 or 0.5% annual global turnover; €500,000 or 1% annual global turnover; and €1,000,000 or 2% annual global turnover). However, the scope of the highest category of fines has been expanded significantly to cover all infringements of the Proposed Regulation that do not fall into any of the other categories.
Further, the Report clarifies that the data subject’s right to compensation includes the right to be compensated for non-pecuniary damage such as wasted time or distress. The European Data Protection Board (“EDPB”) is tasked with ensuring that the national supervisory authorities apply their sanctioning powers consistently.
International Data Transfers
The Report would eliminate the European Commission’s ability to recognize sectors in third countries as providing an adequate level of data protection. Adequacy decisions would require delegated acts to ensure that the Council and Parliament participate in the decisionmaking process. The Report also proposes amendments regarding international data transfers to third countries under the Safe Harbor regime or using standard contractual clauses. The relevant Commission decisions allowing the use of these data transfer mechanisms would expire two years after the Regulation takes effect (whereas the Proposed Regulation initially stated that such decisions remain in force “until amended, replaced or repealed by the Commission”). In addition, the Report adds more to the criteria for adequacy findings and strengthens the criteria for Binding Corporate Rules. The Report also inserts new provisions addressing data transfer requests from courts and authorities in third countries, imposing the need to obtain prior authorization from the national supervisory authorities in certain cases.
Strengthening of the EDPB and the New Consistency Mechanism
The Report includes a noticeable focus on the EDPB, the intended successor of the current Article 29 Working Party. The Report transfers certain powers that were assigned to the European Commission to the EDPB, and reduces the European Commission’s power to adopt delegated acts.
Another important amendment is the revised consistency mechanism: in the event multiple national supervisory authorities are competent, one national supervisory authority will take the lead and coordinate its efforts with the remaining authorities internally. In contrast, the European Commission’s text afforded a single national supervisory authority the power to regulate businesses with multiple EU establishments without having to formally coordinate its actions with other supervisory authorities. The scope of supervision also is extended: a national supervisory authority would be competent if “personal data of residents of that Member State are processed.” This represents a step away from supervision based on territory, and a step toward supervision based on the origin of personal data.
Miscellaneous
Other changes proposed by the Report include:
- an emphasis on data protection by design and default;
- a wider scope of national derogations to safeguard the freedom of expression;
- rules governing health data and how it may be processed;
- rules on how to process personal data for historical/statistical purposes; and
- derogations on the use of social security data.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code