According to a press release of the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament, “a major overhaul of current EU data protection rules, to put people in control of their personal data while at the same time making it easier for companies to move across Europe” was voted on Monday.
The vote has been described as being “historic” and “a breakthrough”, the latter being declared by Jan Philipp Albrecht, the man of the hour, who was the rapporteur MEP for the General Data Protection Regulation proposal. According to Albrecht, “this evening’s vote is a breakthrough for data protection rules in Europe, ensuring that they are up to the the challenges of the digital age. This legislation introduces overarching EU rules on data protection, replacing the current patchwork of national laws”.
The Commissioner of Justice, Viviane Reding, was as excited about the news as Albrecht. She twitted shortly after the vote concluded: “With a large majority vote, @Europarl_EN committee has sent a strong signal tonight: as of today data protection is made in #Europe”.
However, all this excitement could be seen as premature, when one thinks that the European Council has still to achieve a common ground regarding the draft regulation. This means that the governments of all the 28 EU Member States must conclude the debates on the GDPR and come up with the Council’s own amendments. After the final draft of the Council is ready, the Parliament and the Council must also achieve a common ground regarding the GDPR before they vote it and it will enter into force.
Forget the “right to be forgotten”
The text of the draft GDPR voted by the LIBE committee has not yet been published. The only official indications with regard to its content are entailed in the press release previously cited. According to it, we find out that the controversial “right to be forgotten”, originally enshrined in Article 17 of the GDPR proposal, will lose its catchy name and probably the main reason it received so much attention. The good news is that the content of the right seems to remain the same:
“any person would have the right to have their personal data erased if he/she requests it. To strengthen this right, if a person asks a data controller (e.g. an Internet company) to erase his/her data, the firm should also forward the request to others where the data are replicated. The “right to erasure” would cover the “right to be forgotten” as proposed by the Commission”.
The reverse of general excitement: why the “Safe Harbor” panic?
While the EU officials directly involved in the GDPR legislative process are applauding the vote of the LIBE committee, voices from the US started to panic because of the imminent danger which apparently threatens (“torpedoes“?) the Safe Harbor agreement, already imagining a world without it.
Both the extreme happiness and panic are not justified at this point of the legislative process. There are still difficult stages to surpass before this piece of legislation will enter into force. The will of the governments of the 28 MSs rarely mirrors the vision of the European Parliament. As such, unfortunately, we will have to wait a bit more before affirming that data protection is made in #Europe.
Reding on pseudonymous data: We should encourage companies to use pseudonyms rather than the actual names
Commissioner Viviane Reding intervened in the Justice Council on March 8, 2013, on matters related to the adoption of the Data Protection Regulations. She referred among other things to the issue of pseudonymous data, saying that incentives should be created for companies to use such data instead of the names of the data subject. Nevertheless, Reding insisted that it should always be kept in mind that pseudonymous data is personal data and that it should be subject in general to the data protection legal regime.
Reding:
“Anonymous data is easy to deal with. It is outside the scope of the instrument. There is no risk. The Commission’s proposal makes this clear.
Pseudonymous data is more difficult. I understand the principle. We should encourage companies to use pseudonyms rather than the actual names of persons. This makes sense. It is in the interest of citizens. For pseudonyms to be used, you need to create incentives. Lighter obligations on privacy by design or on notification of breaches are candidates.
The inclusion of a notion of pseudonymous data has also been suggested by the European Parliament’s Rapporteur, Jan-Philipp Albrecht. This demonstrates that there is convergence between the Council and the Parliament on key elements of this file.
But I would sound a note of caution: Pseudonymous data is personal data. It relates to an identified or identifiable natural person and has to be protected under the Charter and EU law. Risks to privacy remain and are real. A single piece of data such as an email address can create a link between a very accurate profile and a person. It is particularly important to keep this in mind since pseudonymous data is often used in the health sector.
So I am happy to work on the notion of pseudonymous data but I will be vigilant. We need a robust definition and robust safeguards. Pseudonymous data must not become a Trojan horse at the heart of the Regulation, allowing the non-application of its provisions.”
You can find the entire intervention HERE.
Share this:
Leave a comment
Posted in Comments
Tagged data protection regulation, pseudonymous data, pseudonyms, Viviane Reding