The European Parliament's committee on civil liberties, justice and home affairs adopted a new EU draft legislative package to strengthen citizens’ data protection, yesterday evening in Strasbourg.
The new provisions backed by the MEPs will now have to be negotiated with EU governments. However, yesterday’s vote – with a large majority – clearly indicates that the final legislation will have to include, among other things, the right to have your data erased ('the right to be forgotten'), the obligation to fully inform citizens and get their clear consent on the use of data, and a prohibition on using data for any sort of profiling or transferring it to third countries without specific guarantees and international agreements. Moreover, these provisions will also have to apply to police and other law-enforcement authorities.
S&D MEP Dimitris Droutsas, the Parliament's rapporteur for the directive, who will now be in charge of negotiating with EU ministers on behalf of the European Parliament, said:
“The protection of EU citizens’ personal data – in all areas, private and public sector – is definitely one of the most important issues for the European Parliament.
“EU governments and the Council must move fast. It is now their turn to act. The EU leaders will have an excellent opportunity to show their decisiveness at the next meeting of the European Council this week. We are all waiting for this.
“The European Parliament has delivered what citizens expected from it. And I am proud to say that the contribution from the European Socialists and Democrats in achieving this goal has been visible and strong.”
S&D vice-president Sylvie Guillaume MEP added:
“The processing of personal data has become the 'grey gold' of the 21st century.
"The Socialists and Democrats have demonstrated through this vote that they want to make sure citizens keep control of their data and give them confidence in companies. An important step in that direction is the fact that non-European companies will have to stick to European data protection law in the European market. Let's try now to move the Council towards our position.”
Claude Moraes MEP, the rapporteur for the European Parliament's Inquiry on the Mass Electronic Surveillance of EU citizens, said:
“The recent revelations by Edward Snowden have exposed legal loopholes in relation to the transfer of EU citizens' data to third countries, including the US.
"Yesterday's historic vote on the data protection package is an important step towards guaranteeing a high level of data protection for transatlantic transfers of EU data.
"These new laws will make it harder for US companies like Google and Facebook to hand over EU citizens' data to the US authorities. Any such transfer of European citizens' data must respect this new legal framework on data protection or must be based on an international agreement".
Main provisions steered through by the S&D Group and adopted by the EP committee on civil liberties, justice and home affairs:
1. FUNDAMENTAL PRINCIPLES
The processing of personal data must be lawful, fair and transparent in relation towards the individuals concerned. The specific purposes for which the data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. Moreover, the personal data should be adequate, relevant and limited to the minimum necessary for the purposes for which the personal data are processed. Time limits should be established for erasure or periodic review. Personal data should not be processed for purposes incompatible with the purpose for which it was collected.
2. DEFINITION OF DATA
Any information that can be linked directly or indirectly to an individual is defined as personal information and thus strongly protected. Personal information covers also location data, identification numbers, personal identifiers and so called metadata.
3. GENETIC DATA
A new article is introduced concerning genetic data. The processing of genetic data should only be allowed if there is a genetic link which appears in the course of a criminal investigation or a judicial procedure. Genetic data should only be stored as long as strictly necessary for the purpose of such investigations and procedures, while Member States can provide for longer storage under the conditions set out in this Directive.
The protection of data under pseudonymous, is encouraged and incentivised. However, where pseudonymous data from a single or different source is aggregated and processed together in a way that can lead to the identification of a person, it will no longer be considered pseudonymous.
5. LAW ENFORCEMENT
Currently, national law enforcement authorities have to adhere to different sets of legal rules and procedures depending on the type of work they are conducting (internal data processing in a member state, cross border cooperation, international cooperation, Europol, Eurojust, Prüm) The proposed Directive seeks to clarify the situation by creating a coherent legal framework for all police personal data processing and data exchange, both internally, within EU and with the third countries.
The fact that data is processed for a law enforcement purpose does not necessarily imply that this purpose is compatible with the initial purpose. The concept of compatible use has to be interpreted restrictively. Moreover, provisions are inserted to require that the authorities have to be able to demonstrate compliance with the law.
6. TRANSFERRING DATA TO THIRD COUNTRIES
Safeguards must be introduced against unwarranted transfers of personal data. Companies like Google, Facebook and Skype are not allowed to transfer personal data to authorities of third countries. This can only occur under European law or on an agreement based on European law. Without a concrete agreement transfers are not allowed.
Wholesale transfers of data will be limited to data strictly necessary. Moreover the decision for transfer will be made by a duly authorised person and this transfer must be documented and should be made available to the supervisory authority on request in order to monitor the lawfulness of the transfer.
Profiling that has the effect of discriminating against an individual on the basis of, for example, race or ethnic origin, political opinions, trade union membership, sexual orientation or gender identity is prohibited. Any kind of blacklisting of workers is strictly forbidden.
8. CLEAR INFORMATION
Everyone must be clearly informed on what happens with their data, how is it used and for which purposes, and they must in principle be able to consciously agree or reject to the processing of it. Clear standardised icons should be provided on the outset to give a general picture of the data processing and further information presented on the particularities. Website owners should only be allowed to track users if the privacy settings of the browser signal that the user agrees to it.
9. FREE CONSENT
When consent is needed for the processing, it needs to be a freely given, informed and explicit indication of the wish of the data subject. It needs to be either by a statement or by clear affirmative action. Whenever the consent has not been freely given or it is based on incorrect or wrong information, the consent is not valid.
Data processors, as well as producers of IT systems, should design their products in a way that respects these principles and with the most data protection-friendly pre-settings. It should also be possible to use services anonymously or pseudonymously.
10. RIGHT TO BE FORGOTTEN
Everyone has the right to request their personal data on the internet to be deleted and/or corrected. The deletion or correction must be done and the company processing the data has to also communicate the request to any third party to whom it sent the data, in order for it to be deleted or corrected there as well. Anyone publishing private data illegally is obliged to ensure every copy is deleted.
Administrative burden for SMEs must be cut whilst keeping high data protection standards.
12. DATA PROTECTION AUTHORITIES
National data protection must be strengthened and receive sufficient resources to perform their tasks. They shall supervise compliance, hear complaints, assist data subjects, conduct investigations and certify technical and other standards. The national supervisory authorities shall provide mutual assistance to each other in cross-border cases and conduct joint operations.
European Data Protection Board must be created to issue opinions, guidelines and recommendations both to national authorities, as well as lawmakers. The board shall promote cooperation between the national authorities and act as a last arbiter in individual cases of consistency.
13. 'ONE-STOP-SHOP' APPROACH
Citizens must have only one data protection authority in the whole EU to deal with. They can go to their own national data protection authority for complaints that cover data abuse anywhere in the EU. Also the companies will only have to deal with the authority in the country of their main establishment.
14. IMPACT ASSESSMENT
Where a data protection impact assessment indicates that processing operations are likely to present a high degree of specific risk, the supervisory authority should be in a position to prevent, prior to the start of operations, a risky processing which is not in compliance with the EU rules, and to make proposals to remedy such situation.
Such consultation may equally take place in the course of the preparation of a law of the national parliament or of a measure based on such law.
The European Data Protection Board should establish common rules to enable whistleblowers to safely come forward with information on violations of law and offer them with the appropriate protection.
Depending on issues such as the nature, duration and severity of the breach, its intentional or negligent character and its repetitive nature, the sanctions can vary from a warning to regular auditing and in the most severe cases up to 5% of the company's worldwide turnover, which can be hundreds of millions.
17. DIFFERENCES WITH EUROPEAN COMMISSION'S PROPOSAL
The proposed regime for transferring personal data to third countries was weak and did not provide all the necessary safeguards to ensure the protection of the rights of individuals whose data will be transferred. This system provided lower protection than the proposed Regulation. For example, the Commission proposal would allow the transfer to a third country authority or an international organisation that was not competent for law enforcement purposes. When the transfer was based on the assessment made by the data controller, the Directive could possibly allow massive and bulk transfer of personal data. This is now changed and all transfers must be based on Commission adequacy decision, on a law or legally binding instrument guaranteeing appropriate safeguards for protection of personal data.
The Directive proposed by the European Commission, in many aspects, was not legally aligned to the provisions of the proposed Regulation. It was paramount that the two legal instruments (Data Protection Regulation and Directive) had the same provisions everywhere, except where the law enforcement area specifically needed different provisions. Identical wording has been used in order to tackle differences and ensure consistency between the two legal documents. This will also significantly ease the work of national authorities, as they will only need to implement one standard.