On March 20, 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) held legislative deliberations regarding the European Commission’s proposed General Data Protection Regulation (”Proposed Regulation”). The LIBE Committee Chair, Juan Fernando López Aguilar, noted that 2,783 amendments to the Proposed Regulation and 504 amendments to the proposed Police and Criminal Justice Directive (“Proposed Directive”) have been tabled.
Rapporteur Albrecht
LIBE lead rapporteur Jan Philipp Albrecht noted that the fundamental principles of the European Data Protection Directive 95/46/EC are not in dispute, and that the purpose of the Proposed Regulation is to harmonize implementation of data protection principles across Europe and with respect to new technologies. He advocates a unified framework, preferring a single legal instrument as opposed to both the Proposed Regulation and Proposed Directive; at a minimum, a single instrument for general data processing is important. Rapporteur Albrecht considers that key objectives of the Proposed Regulation should be to harmonize and strengthen individuals’ rights and to provide legal certainty. He is optimistic that the Proposed Regulation can be settled during the current Irish presidency of the Council of the European Union.
Director General Le Bail
Françoise Le Bail, Director General for the European Commission’s Directorate-General Justice, is similarly optimistic that the Council will be able to reach political agreement on the Proposed Regulation by June 2013. She highlighted as key issues the wide scope of the Proposed Regulation, the broad definition of “personal data,” the “one-stop-shop” concept and the importance of sanctions.
- Scope of the Proposed Regulation: The Proposed Regulation should apply to EU citizens, regardless of residency.
- Definition of “personal data”: The current broad definition is of crucial importance and must be maintained. In particular, personal data relating to individuals acting in their professional capacity (e.g., job title, work address) are covered by the definition. The Commission is prepared to work with the Council and Parliament on a definition of “pseudonymous” data, but the current levels of data protection for personal data must be maintained.
- The “one-stop-shop”: The lead authority concept is an essential pillar of the Commission’s proposal and is a key element in simplifying data protection rules for companies operating across the borders of Member States. The existing provisions on the one-stop-shop concept require clarification to ensure that the drafting reflects the Commission’s desire to encourage simplification.
- Sanctions for non-compliance: For Director General Le Bail, “a strong system means fines.” Without sanctions, the reforms will not be meaningful. Further, the Commission supports all proposed amendments that would strengthen data protection authorities, which are considered of “essential” importance under the revised framework.
Shadow Rapporteur Voss
European Parliament shadow rapporteur Axel Voss emphasized the need to achieve a balance between the interests of individuals and businesses, and between existing business models and new technologies. He stated that the fundamental principles of Directive 95/46/EC should be preserved, but modifications and improvements are needed in certain areas (e.g., online processing). The Proposed Regulation should not be a reworking of Directive 95/46/EC. Voss called for clarification, in particular for the definitions of “personal data,” “pseudonymous data” and “anonymous data.” Voss also cautioned against overly restrictive wording in the Proposed Regulation since the rules need to be flexible, and against excessive bureaucracy, calling for a better balance in the administrative provisions and a high degree of self-regulation. In particular, he urged that the provisions relating to high-risk processing activities must still be practical and workable.
Shadow Rapporteur Ludford
Shadow rapporteur Sarah Ludford was appointed just last week to replace Alexander Alvaro following a serious injury. Ludford encouraged LIBE Committee members to read Alvaro's draft amendments to the Proposed Regulation, which demonstrate Alvaro’s creative approach to the issues. In particular, she noted Alvaro’s amendments emphasize the importance of the context of data processing activities, especially the degree of risk involved and the likelihood of data subject identification. Ludford urged that the Proposed Regulation should strike a balance between achieving a high level of data protection and economic value and job creation in the EU, noting that the two concepts are not mutually exclusive. In particular, she pointed to media coverage regarding business concerns over the Proposed Regulation’s inflexibility as being both inaccurate and unhelpful.
European Data Protection Supervisor Hustinx
European Data Protection Supervisor Peter Hustinx had provided a letter to LIBE on March 15 and presented his comments at the deliberations. He urged the LIBE Committee to follow Voss’ report. He stated that the Commission’s definition of “personal data” should be maintained and emphasized that pseudonymous and encrypted data are both clearly personal data. Hustinx disagreed that the scope of the Proposed Regulation should apply to “residents of the EU,” as opposed to “citizens.” He strongly supported the Commission’s emphasis on explicit consent. Regarding the “legitimate interests” basis for data processing, he cautioned that this involves a balancing test that must be determined on a case-by-case basis. He argued against listing presumptions and rules of thumb that would, in his view, lead to confusion.
Article 29 Working Party Chairman Kohnstamm
Jacob Kohnstamm, Chairman of the Article 29 Working Party, endorsed the Proposed Regulation, and was “even more positive about the Rapporteur’s proposals.” He particularly welcomed Rapporteur Albrecht’s proposed amendments with respect to the lead authority concept, and proposed sanctions for non-compliance.
- The “one-stop-shop”: Kohnstamm welcomed the lead authority concept, but, as per Rapporteur Albrecht’s proposed amendment, he thinks that the lead authority should not have exclusive jurisdiction. He also urged that data controllers should not be able to determine their place of “main establishment” as this could lead to forum shopping. Where there is any uncertainty as to an entity’s main establishment, this should be determined by the European Data Protection Board.
- Sanctions for non-compliance: Kohnstamm welcomed a wider margin of appreciation for data protection authorities in relation to sanctions, in particular, in deciding whether or not to impose sanctions for unintentional breaches of the Proposed Regulation.
Search
Recent Posts
- Website Use of Third-Party Tracking Software Not Prohibited Under Massachusetts Wiretap Act
- HHS Announces Additional Settlements Following Ransomware Attacks Including First Enforcement Under Risk Analysis Initiative
- Employee Monitoring: Increased Use Draws Increased Scrutiny from Consumer Financial Protection Bureau
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code