Tag Archives: Albrecht report

Germany: Peter Schaar welcomes Proposal for Amendments by the European Parliament

According to the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, the report on the European General Data Protection Regulation submitted by the rapporteur of the Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament, Jan Philipp Albrecht, has to be seen as an important signal for a Europe-wide high level of data protection.

Peter Schaar: The proposed amendments would clearly improve the European Commission’s draft on the reform of European data protection law. The combination of personal data from different sources (profiling) shall be further restricted and the data subjects’ rights shall be strengthened. The data subjects’ right of objection shall be applied without any premises and thus independently of special personal reasons. I am also positive about the independent status of data protection authorities when coordinated action against privacy breaches shall be improved.

The European Parliament hopefully will approve the proposals and I advise the Federal Government to actively advance the absolutely necessary improvements of European data protection law in Council.

The rapporteur’s proposals for amendment prepare the LIBE Committee’s opinion, which regularly serves as a basis for decision-making in the plenary of the European Parliament. The data protection reform requires the consent of the European Parliament and of the Council of Governments of the EU Member States.

Source: The Federal Commissioner for Data Protection and Freedom of Information website

PILB: European Parliament’s take on the Regulation: Stricter, thicker and tougher

Eduardo Ustaran writes for the Privacy and Information Law Blog that if anyone thought that the European Commission’s draft Data Protection Regulation was prescriptive and ambitious, then prepare yourselves for the European Parliament’s approach. The much awaited draft report by the LIBE Committee with its revised proposal (as prepared by its rapporteur Jan-Philipp Albrecht) has now been made available and what was already a very complex piece of draft legislation has become by far the strictest, most wide ranging and potentially most difficult to navigate data protection law ever to be proposed.

This is by no means the end of the legislative process, but here are some of the highlights of the European Parliament’s proposal currently on the table:

*     The territorial scope of application to non EU-based controllers has been expanded, in order to catch those collecting data of EU residents with the aim of (a) offering goods or services (even if they are free) or (b) monitoring those individuals (not just their behaviour).

*     The concept of ‘personal data’ has also been expanded to cover information relating to someone who can be singled out (not just identified).

*     The Parliament has chosen to give an even bigger role to ‘consent’ (which must still be explicit), since this is regarded as the best way for individuals to control the uses made of their data. In turn, relying on the so-called ‘legitimate interests’ ground to process personal data has become much more onerous, as controllers must then inform individuals about such specific processing and the reasons why those legitimate interests override the interests or fundamental rights and freedoms of the individual.

*     Individuals’ rights have been massively strengthened across the board. For example, the right of access has been expanded by adding to it a ‘right to data portability’ and the controversial ‘right to be forgotten’ potentially goes even further than originally drafted, whilst profiling activities are severely restricted.

*     All of the so-called ‘accountability’ measures imposed on data controllers are either maintained or reinforced. For example, the obligation to appoint a data protection officer will kick in when personal data relating to 500 or more individuals is processed per year, and new principles such as data protection by design and by default are now set to apply to data processors as well.

*     The ‘one stop shop’ concept that made a single authority competent in respect of a controller operating across Member States has been considerably diluted, as the lead authority is now restricted to just acting as a single contact point.

*     Many of the areas that had been left for the Commission to deal with via ‘delegated acts’ are now either specifically covered by the Regulation itself (hence becoming more detailed and prescriptive) or left for the proposed European Data Protection Board to specify, therefore indirectly giving a legislative power to the national data protection authorities.

*     An area of surprising dogmatism is international data transfers, where the Parliament has added further conditions to the criteria for adequacy findings, placed a time limit of 2 years to previously granted adequacy decisions or authorisations for specific transfers (it’s not clear what happens afterwards – is Safe Harbor at risk?), reinforced slightly the criteria for BCR authorisations, and limited transfers to non-EU public authorities and courts.

*     Finally, with regard to monetary fines, whilst the Parliament gives data protection authorities more discretion to impose sanctions, more instances of possible breaches have been added to the most severe categories of fines.

Whole story HERE.

 

The European Parliament released its reports on the data protection reform package, proposing several changes

European Parliament rapporteurs presented yesterday, according to a press release of the European Commission, two draft reports on the reform of the EU’s data protection rules proposed by the European Commission just a year ago (see IP/12/46 and MEMO/12/41). In their reports, Jan-Philipp Albrecht, rapporteur for the proposed Data Protection Regulation for the Civil Liberties, Justice and Home Affairs Committee (LIBE) of the European Parliament, and, Dimitrios Droutsas, rapporteur for the proposed Data Protection Directive for the law enforcement sector, express their full support for a coherent and robust data protection framework with strong end enforceable rights for individuals. They also stress the need for a high level of protection for all data processing activities in the European Union to ensure more legal certainty, clarity and consistency.

Some of the key points of the rapporteurs’ reports include:

  • The need to replace the current 1995 Data Protection Directive with a directly applicable Regulation. A single set of rules on data protection, valid across the EU will remove unnecessary administrative requirements for companies and can save businesses around €2.3 billion a year.
  • The support in principle for the Commission’s proposal to have a “one-stop shop” for companies that operate in several EU countries and for consumers who want to complain against a company established in a country other than their own. To ensure consistency in the application of EU data protection rules, the European Parliament rapporteur wants to create a powerful and independent EU data protection agency entrusted with taking legally binding decisions vis-à-vis national data protection authorities.
  • Support for the strengthening of users’ rights: they encourage the use by companies of pseudonymous and anonymous data; they further propose strengthening the concept of explicit consent for data to be legally processed by asking companies to use clear and easily comprehensible language (also with regards to privacy policies); the ‘Albrecht-report’ proposes further reinforcing the “right to be forgotten” (the right to erase one’s data if there are no legitimate grounds to retain it) by asking companies which have transferred data to third parties without a legitimate legal basis to make sure these data are actually erased.
  • The European Parliament rapporteurs agree with the European Commission’s proposal that EU rules must apply if personal data of individuals in the EU is handled abroad by companies which are not established in the Union. According to the amendments proposed it would be sufficient that a company aims at offering its goods or services to individuals in the EU. An actual payment from the consumer to the company is not needed to trigger the application of the data protection regulation.
  • The European Parliament rapporteurs stress the need to have independent national data protection authorities which are well-equipped to better enforce the EU rules at home. The ‘Albrecht-report’ provides guidance as to the staffing and resourcing of these authorities and welcomes the Commission’s proposal to empower them to fine companies that violate EU data protection rules.
  • On the delegated acts foreseen in the Regulation (also known as ‘Commission empowerments’ or acts which ensure that if, in practice, more specific rules are necessary, they can be adopted without going through a long legislative process): the European Parliament rapporteur wants to drastically reduce the number of delegated acts by including, among others, more detailed provisions in the text of the Regulation itself. The European Commission has recently shown its openness to such an approach (see SPEECH/12/764).
  • On the Directive that will apply general data protection principles and rules to police and judicial cooperation in criminal matters, the rapporteur agrees with the Commission’s proposal to extend the rules to both domestic and cross-border transfers of data. The report also aims to strengthen data protection further by enhancing individuals’ rights, giving national data protection authorities greater and more harmonised enforcement powers and by obliging them to cooperate in cross-border cases.

The European Parliament’s LIBE Committee will discuss the draft reports on 10 January.

The European Commission will continue to work very closely with the rapporteurs of the European Parliament and with the Council to support the Parliament and the Irish EU Presidency in their endeavour to achieve a political agreement on the data protection reform by the end of the Irish Presidency.

See the entire press release: http://europa.eu/rapid/press-release_MEMO-13-4_en.htm