On August 14 and August 26, 2015, the Conference of the Data Protection Commissioners of the Federal Government and the Federal States (Länder) issued a detailed position paper (“Position Paper”) and a press release on the main issues for the trilogue negotiations on the proposed EU General Data Protection Regulation (the “Regulation”). In the Position Paper and press release, the participating German Data Protection Commissioners (“German DPAs”) request the trilogue partners to focus on the following issues:
Data Minimization
To limit interferences with fundamental rights, the Position Paper asserts that it is essential to limit the collection of data to only what is necessary to achieve legal and legitimate purposes. The Position Paper notes that unlimited collection of data creates numerous risks for individuals, including the risk of profiling individuals based on the acquisition of data from different aspects of an individual’s life. As such, the German DPAs request that the principle of data minimization be kept in the final version of the Regulation, as opposed to the Council’s version of June 2015.
Consent
The Position Paper asserts that the individual’s consent must remain his/her expression of self-determination and autonomy with regard to the processing of his/her personal data. Contrary to the Council’s proposal – which makes unambiguous consent sufficient – the German DPAs believe that only opt-in consent should be accepted as compatible with data protection principles.
Data Subjects’ Rights
The Position Paper maintains that in order to ensure effective implementation of the data subjects’ rights, actions taken per requests must be free of charge. This view is in opposition to the Council’s approach, which only explicitly provides the absence of fees for the right of access, therefore leaving the exercise of other rights uncertain. The execution of all data protection rights should instead be encouraged by the absence of fees, according to the German DPAs.
Purpose Limitation
In the Position Paper, the German DPAs suggest that purpose limitation strengthens the rights of individuals by ensuring transparency of data processing and helping to prevent data from being further processed in a way that is incompatible with the initial purposes for which the data was collected. In contrast, the Council’s approach allows the possibility to process data for reasons other than the purposes for which personal data was collected initially. The German DPAs indicate their opposition to the Council’s approach, which they believe would considerably weaken the principle of purpose limitation and put the individuals’ rights at risk.
Profiling
The German DPAs consider the proposed rules on profiling in Article 20 of the Regulation to be inadequate to protect individuals effectively against the creation of personality profiles. As such, the Position Paper notes that by not making profiling itself subject to special requirements, but only to decisions based on automated processing or measure based processing, the provisions as proposed are inadequate to protect individuals. More specifically, the Council’s approach only covers a specific result of data processing, but not the essential questions relating to profiling, according to the Position Paper. In this context, the German DPAs propose that the following points be covered by the Regulation:
- an approach covering all profiling or measures based on profiling, rather than only automated decision making;
- a clear definition of the exceptions from the prohibition of profiling;
- a high-level transparency and awareness of data subjects accompanying the processing of personal data for profiling purposes; and
- the anonymization or pseudonymization of the data used to create and evaluate profiles as early as possible in the process.
Data Protection Officers
The Position Paper reiterates the importance of a concrete level of data protection in businesses and government agencies. To reach this level and create a sufficient local data protection culture, the German DPAs suggest the designation of mandatory Europe-wide data protection officers.
Cooperation among Data Protection Authorities (“DPAs”) in Europe
In the Position Paper, the German DPAs indicate their support for the so-called “one-stop shop, a consistency mechanism and a European Data Protection Board,” providing for the election of a lead DPA as a single point of contact for a business. The German DPAs, however, also ask the stakeholders involved in the trilogue to define practical rules for the model proposed, arguing that it is currently too complex for the supervisory authorities, particularly regarding time limits and administrative assistance between the DPAs.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code