Out-Law News 3 min. read
21 Oct 2013, 1:13 pm
The Civil Liberties, Justice and Home Affairs (LIBE) Committee is scheduled to begin a vote on Monday, which may not be concluded until Thursday (3-page / 132KB PDF) this week, on proposed amendments to the draft General Data Protection Regulation tabled originally by the European Commission in January last year.
In a draft report published earlier this year the rapporteur on the data protection reforms for LIBE proposed amendments to the Commission's text which would, if introduced, restrict businesses' ability to rely on the 'legitimate interests' basis for processing personal data to "exceptional circumstances". MEP Jan-Philipp Albrecht proposed major amendments that would, if introduced, set out when organisations' 'legitimate interests' could be said to outweigh individuals' rights, and vice versa.
However, according to leaked documents on the draft amendments set to be voted on, published by the European Digital Rights group (EDRi), businesses would face less restrictive rules on 'legitimate interests' than Albrecht had originally proposed.
In accordance with both existing EU data protection rules, as well as the draft new rules to be voted on by the LIBE Committee, businesses have to satisfy one of six conditions governing the lawfulness of personal data processing in order to proceed with the processing of that data.
One of the common ways in which businesses can process personal data is if they obtain the consent of individuals to do so, however another legal basis for such processing is where the processing is in businesses' legitimate interests.
Under the live proposals, businesses would have the right to process personal data under the 'legitimate interest' rules if the processing is "necessary for the purposes of the legitimate interests" they are pursuing and providing the purposes of the processing "meet the reasonable expectations of the data subject based on his or her relationship with the [company]".
This general rule would apply except where businesses' legitimate interests "are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data." Public authorities would be prohibited from relying on the 'legitimate interests' condition to process personal data.
A draft recital contained within the leaked documents explains that the processing of pseudonymised data would be "presumed to meet the reasonable expectations of the data subject based on his or her relationship with the [company]". Individuals would be able to object to such processing "on grounds relating to their particular situation" free of charge.
Businesses seeking to process pseudonymised data would have to "explicitly inform" individuals what legitimate interests they are pursuing and of their right to object.
According to the leaked draft provisions, businesses would be able to claim that the processing of personal data for direct marketing purposes is a 'legitimate interest' of theirs, subject to certain conditions about the scope of the marketing and on the notification of individuals'.
"Provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, the processing of personal data for the purpose of direct marketing for own or similar products and services or for the purpose of postal direct marketing should be presumed as carried out for the legitimate interest of the [data] controller, or in case of disclosure, of the third party to whom the data is disclosed, and as meeting the reasonable expectations of the data subject based on his or her relationship with the controller if highly visible information on the right to object and on the source of the personal data is given," according to one of the leaked documents.
The rules around 'consent' also look set to be changed, under the amendments to be voted on by the LIBE committee.
Businesses would be barred from forcing individuals to consent to the processing of personal data when agreeing a contract or providing a service beyond the details that are necessary to execute that contract or provide that service.
Consent would be "purpose limited" and would "lose its validity when the purpose ceases to exist or as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were originally collected", according to the proposals. In addition, businesses would have to give individuals the right to withdraw consent through a mechanism that is as easy to use as the one used for giving consent.
Data protection authorities would be able to impose fines of up to €100 million, or 5% of companies' annual global turnover, whichever amount is greatest, to businesses that breach the rules, should the amendments before the LIBE committee become law.
First-time offenders, or those guilty of "non-intentional non-compliance" would be issued with a warning. The regulators would also be able to force companies to undertake "regular periodic data protection audits" under the administrative sanctions listed under the proposals.
If the LIBE committee backs the plans they would then enter into negotiations with the EU's Council of Ministers to try to find a consensus on the wording of a single text to bring about reforms to the data protection law framework. All MEPs would then be asked to vote of that text and would have to pass it, together with the EU Ministers, before a new General Data Protection Regulation could come into force.
