The Industry, Research and Energy Committee (IREC) has outlined changes it would like to see made to the European Commission's draft Data Protection Regulation which was originally published last year. One of those changes should be to list the processing of pseudonymised data as a "legitimate interest" of data controllers, it said.
"Making the processing of personal data lawful when that data has been rendered pseudonymous will encourage data minimisation and the practice of 'pseudonymising' data to the benefit of all data subjects since, by definition, the data cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls," an opinion adopted by IREC said.
The Committee has also backed proposals that would set out terms that regulators would have to refer to in order to determine how substantial a fine they should levy on organisations that breach the proposed Regulation. It has backed the setting out of the aggravating and mitigating factors that those authorities should legally have to consider when making such a judgment.
Aggravating factors that would merit the levying of a higher penalty would include if an organisation was a repeat offender, if it refused to cooperate with or obstructed a regulator and if violations were "deliberate, serious and likely to cause substantial damage", it said.
Organisations that take measures to "ensure compliance", that have "genuine uncertainty" whether their alleged violation was a breach of the rules and that immediately stop the breach upon gaining "knowledge" of it would stand to be looked upon more kindly by regulators when determining sanctions, according to the IREC's proposals.
IREC is one of four European Parliament committees looking into the data protection reforms. The lead committee is the one on Civil Liberties, Justice and Home Affairs which is due to vote on its own report in April.