Qui no ha acceptat alguna vegada un contracte llarg i incomprensible, a Internet, per poder accedir a algun contingut? Si l’haguéssim llegit, o si almenys l’haguessim entès, hauríem vist probablement que estàvem autoritzant l’empresa en qüestió a fer un ús comercial de les nostres dades personals, dret que, també sovint, aquestes empreses usen de manera abusiva.
La protecció de dades personals en l’era d’Internet és un dels grans reptes democràtics de l’actual era digital. I en canvi, les lleis que regulen l’exposició pública de les dades personals han quedat obsoletes.
Tot plegat exigeix una clarificació de les nombroses llacunes legals estatals i europees, i un enfortiment de les normes (i de les sancions).
La Comissió Europea i el Parlament Europeu ens hi hem posat a treballar. Avui mateix, la Comissió LIBE ha debatut els esborranys d’informe de Jan Albrecht, Verds ( General Data Protection Regulation) i Dimitrios Droutsas, S&D (General Data Protection Directive).
He pogut seguir de primera mà la feina del meu col.lega Albrecht, un dels diputats més respectats dins i fora de la Càmera en tots aquells aspectes que tenen a veure amb els drets citadans, especialment en el marc d’univers de la xarxa. La seva exposició avui, a LIBE, ha merescut el reconeixement de la majoria de grups i fins i tot de la Comissió i l’Agència de Protecció de Dades.
De manera esquemàtica, els deu punts que justifiquen aquesta reforma del marc legal són els següents:
1. La protecció de dades és un dret fonamental, i és aquí per quedar-s’hi (qualsevol cosa que no sigui això serà inacceptable)
2.Si vol les meves dades, demani’m el meu consentiment (calen regles clares, menys excepcions, més transparència)
3. És el legislador (PE) qui ha de definir les regles (cal certesa legal per a tothom, la Comissió no pot ser l’únic actor implicat)
4.Sigui on sigui que es processen les dades personals dels/de les ciutadans/es de la UE, ha d’estar dins del marc del Reglament (cal millor la definició de l’àmbit territorial i institucional)
5.El creixement econòmic i la protecció de dades no són aspectes en contradicció, necessàriament! (millor competència, mercat únic, confiança i innovació per exemple en relació a tecnologies de privacitat)
6.Volem un contacte únic per a les empreses i els ciutadans! (una botiga One Stop per a tothom)
7.El màxim de protecció de dades amb el mínim de tramitació! (la documentació ha de garantir els drets individuals)
8.El supervisor de la protecció de dades d’una companyia ha de garantir la rendició de comptes
9.L’agència de protecció de dades de la UE ha de vetllar per l’aplicació correcta i coherent de la llei
10.Les sancions han de ser dures i exemplaritzants, i establertes en base a un principi de proporcionalitat.
El calendari, acordat avui a LIBE, ens protarà a una votació en Comitè probablement a finals d’abril, de manera que a parit de maig ja entraríem en l’anomenat Trílog (negociacions a tres bandes entre el Parlament, el Consell i la Comissió).
Els dos informes en qüestió són:
PROYECTO DE INFORME sobre la propuesta de Reglamento del Parlamento Europeo y del Consejo relativo a la protección de las personas físicas en lo que respecta al tratamiento de datos personales y a la libre circulación de estos datos (Reglamento general de protección de datos), de Jan Philipp ALBRECHT
Plazo de presentación de enmiendas : 27-02-2013
Documentos relacionados con éste dentro del expediente LIBE/7/08739
Documentos relacionados con el procedimiento 2012/0011(COD)
PROYECTO DE INFORME sobre la propuesta de Directiva del Parlamento Europeo y del Consejo relativa a la protección de las personas físicas en lo que respecta al tratamiento de datos personales por parte de las autoridades competentes para fines de prevención, investigación, detección o enjuiciamiento de infracciones penales o de ejecución de sanciones penales, y la libre circulación de dichos datos, de Dimitrios DROUTSAS
Plazo de presentación de enmiendas : 27-02-2013
Documentos relacionados con éste dentro del expediente LIBE/7/08742
Documentos relacionados con el procedimiento 2012/0010(COD)
Per a una informació més detallada del contingut dels textos, adjunto a continuació el resum (briefing) de l’assessor del nostre grup per aquestes qüestions: (segueix…)
In accordance with Article 8 of the EU Charter the right to personal data protection:
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified
3. Compliance with these rules shall be subject to control by an independent authority.
Since the adoption of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data a lot has changed in the area of data protection, notably technological developments, increased collection and processing of personal data, including for law enforcement purposes, with a patchwork of applicable data protection rules and globalization of markets and cooperation.
Furthermore the Directive has failed to achieve a proper harmonisation due to the different implementation of its provisions in the Member States. In this context it has become increasingly difficult for individuals (‘data subjects’) to exercise their right to data protection.
Finally it has hampered the development of the single market with companies (controlling or processing personal data, ‘data controllers’) and individuals facing differences in data protection requirements.
Since the entry into force of the Lisbon Treaty, the Union has an explicit legal basis for data protection covering processing of personal data in the public and private sector but also in the context of law enforcement (resulting from the collapse of the pre Lisbon “pillar structure”) (Article 16(2) TFEU) The Commission has now used Article 16(2) TFEU as legal basis to present proposals for a revision of the Union’s data protection framework. It proposes a Regulation (COM (2012)11) that will replace Directive 95/46/EC (rapporteur: Jan Philipp Albrecht, Greens/EFA) and a Directive (COM(2012)10) that will replace Framework Decision 2008/977/JHA on the protection of personal data processed for the purpose of prevention, detection, investigation or prosecution of criminal offences (rapporteur: Dimitrios Droutsas, S&D). Both rapporteurs support the objective of establishing a fully coherent, harmonious and robust framework with a high level of protection for all data processing activities in the EU. In order to achieve this objective the Commission proposals must be considered a single package requiring coordinated legislative approaches for both texts.
Extensive discussions have taken place on the data protection reform between the rapporteurs and the shadow rapporteurs, the draftspersons and shadows of the Committees for opinion (ITRE, IMCO, JURI, EMPL), the Council Presidency, the Commission and stakeholders (data protection authorities, national authorities, industry, civil rights and consumer organisations, academic experts) in order to ensure broad support for the Parliament’s approach.
A stakeholder workshop was organised by the LIBE committee on 29 May 2012. The LIBE committee also held its annual Inter- Parliamentary Committee Meeting (IPCM) together with national parliaments in the area of freedom, security and justice on the data protection reform package on 9 and 10 October 2012. Four Working Documents were produced on the data protection reform package.
Position on the draft Data Protection Regulation
The Commission’s proposal is based on the following aims:
-A comprehensive approach to data protection;
-Strengthening individual’s rights;
-Further advancing the internal market dimension and ensuring better enforcement of data protection rules; and
– Strengthening the global dimension
Jan Albrecht, the rapporteur supports these ambitions. His approach is presented accordingly
A comprehensive approach to data protection
As indicated it the Working Document of 6 July 2012, the rapporteur welcomes the fact that the Commission has chosen to replace Directive 95/46 with a (directly applicable) Regulation; since this should reduce the fragmented approach to data protection among Member States.
He also agrees with the pragmatic approach chosen by the Commission in leaving room, in accordance with the Regulation, to the Member States to maintain or adopt specific rules regarding issues such as freedom of expression, professional secrecy, health and employment (articles 81-85). Particular reference is made to work of the Employment and Social Affairs Committee, which is to deliver an opinion on Article 82.
EU institutions are not within the scope of the new Regulation. However, they should be covered to ensure a consistent and uniform framework throughout the Union. This will require an adjustment of EU legal instruments, particularly Regulation (EC) No 45/2001, to bring them fully in line with the general Data Protection Regulation before the latter will be applied. The rapporteur also sees a need for a more horizontal debate on how to address the current patchwork of data protection rules for different EU Agencies (such as Europol and Eurojust) and ensure consistency with the data protection package (Article 2(b), Article 89a)).
The rapporteur strongly regrets that the Commission’s proposal does not cover law enforcement cooperation (on which the separate Directive is proposed). This leaves legal uncertainty as regards rights and obligation in borderline issues, for instance where commercial data is accessed by law enforcement authorities for law enforcement purposes and transfers between authorities that are responsible for law enforcement and those that are not. The report on the proposed Directive addresses these issues and proposes amendments. The Regulation specifies that the exclusion from the scope of the Regulation only covers competent public authorities for law enforcement activities (not private entities) and that the applicable legislation should provide adequate safeguards based on the principles of necessity and proportionality (Articles 2(e), 21).
The territorial scope of the Regulation is an important issue for the consistent application of EU data protection law. The rapporteur wishes to clarify that the Regulation should also be applicable to a controller not established in the Union when processing activities are aimed at the offering of goods or services to data subjects in the Union, irrespective of whether payment for these goods or services is required, or the monitoring of such data subjects (Article 3(2)).
The Regulation needs to be comprehensive also in terms of providing legal certainty. The extensive use of delegated and implementing acts runs counter to this goal. Therefore the rapporteur proposes the deletion of a number of provisions conferring on the Commission the power to adopt delegated acts. However, in order to provide legal certainty where possible, the rapporteur has replaced several acts with more detailed wording in the Regulation (eg.: Articles 6(1b); 15; 35(10)). In other instances, the rapporteur proposes to entrust the European Data Protection Board (EDPB) with the task of further specifying the criteria and requirements of a particular provision instead granting the Commission the power to adopt a delegated act. The reason is that in those cases the matter relates to cooperation between national supervisors and they are better placed to determine the principles and practices to be applied (e.g.: Articles 23(3); 30(3); 42(3); 44(7); 55(10)).
Strengthening individuals’ rights
As the Regulation implements a fundamental right, a limitation of the material scope, particularly as regards the definition of “personal data”, by for instance introducing subjective elements relating to the efforts the data controller should make to identify personal data is rejected. The concept of personal data is further clarified with objective criteria (Article 4(1); Recitals 23 24) . Legitimate concerns regarding specific business models can be addressed without denying individuals their fundamental rights. In this context the rapporteur encourages the pseudonymous and anonymous use of services. For the use of pseudonymous data, there could be alleviations with regard to obligations for the data controller (Articles 4(2)(a), 10), Recital 23).
Consent should remain a cornerstone of the EU approach to data protection, since this is the best way for individuals to control data processing activities. Information to data subjects should be presented in easily comprehensible form, such as by standardised logos or icons (Article 11(2a),(2b)). Technical standards that express a subject’s clear wishes may be seen as a valid form of providing explicit consent (Articles 7(2a), 23).
In order to ensure an informed consent to profiling activities, these need to be defined and regulated (Articles 4(3b), 14(1)(g), (ga) and (g) b; 15 (1), 20). Other legal grounds for processing than consent, particularly the “legitimate interests” of the data controller, should be clearly defined (amendment replacing article 6(1)(f) by a new Article 6(1a), (1b), (1c)).
Purpose limitation is a core element of data protection, as it protects the data subjects from an unforeseeable extension of data processing. A change of purpose of personal data after its collection should not be possible only on the basis of a legitimate interest of the data controller. The rapporteur therefore proposes to delete Article 6(4) instead of widening it.
The rapporteur supports the strengthening of the right of access, with a right to data portability – being able to move one’s data from one platform to another In the digital age, data subjects, also in their role as consumers, can legitimately expect to receive their personal information in a commonly used electronic format (Article 15(2)(a)). Therefore he proposes to merge Articles 15 and 18.
The right to erasure and the right to rectification remain important for data subjects, as more and more information are disclosed which can have significant impacts. The “right to be forgotten” should be seen in this light; the amendments proposed clarify these rights for the digital environment, while maintaining the general exception for freedom of expression. In case of data transferred to third parties or published without a proper legal basis, the original data controller should be obliged to inform those third parties and ensure the erasure of the data. Where the individual has agreed to a publication of his or her data, however, a “right to be forgotten” is neither legitimate nor realistic (Article 17, Recital 54).
The right to object to further data processing should always be free of charge and it should be explicitly offered to the data subject by using a clear, plain and adapted language (Article 19(2)). There is also need to provide for better possibilities for effective redress, including by associations acting in the public interest (Articles 73, 76).
Further advancing the internal market dimension and ensuring better enforcement of data protection rules
The rapporteur welcomes the proposed shift from notification requirements to the Data Protection Authorities (DPAs) to practical accountability and corporate Data Protection Officers (DPOs). The proposed regulation can be simplified by merging information rights and documentation requirements essentially being two sides of the same coin. This will reduce administrative burdens for data controllers and make it easier for individuals to understand and exercise their rights (articles 14, 28). In the age of cloud computing, the threshold for the mandatory designation of a data protection officer should not be based on the size of the enterprise, but rather on the relevance of data processing (category of personal data, type of processing activity, and the number of individuals whose data are processed) (Article 35). It is clarified that the DPO can be a part-time function, depending on the size of the enterprise and the amount of data processing (Recital 75).
Data protection by design and by default is applauded as a core innovation of the reform. This would ensure that only data that are necessary for a specific purpose will actually be processed. Producers and service providers are called to implement appropriate measures. The European Data Protection Board should be entrusted to provide further guidance (Article 23). The amendments on Privacy Impact Assessments aim at further determining the situations where this assessment should be conducted (Article 33(2)) and the elements to assess (Article 33(3)).
The rapporteur proposes to extend the period within which to notify a personal data breach to the supervisory authority from 24 to 72 hours. Furthermore, to prevent notification fatigue to data subjects, only cases where a data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, for example in cases of identity theft or fraud, financial loss, physical harm, significant humiliation or damage to reputation, the data subject should be notified. The notification should also comprise a description of the nature of the personal data breach, and information regarding the rights, including possibilities regarding redress (Article 31, 32). For breach notifications, impact assessments, and the right to erasure and to be forgotten, it is proposed that the Commission adopts delegated acts prior to the date of application of the Regulation in order to ensure legal certainty (Article 86(5a)).
Codes of conduct as well as certification and seals are supported, but there is also need to provide for incentives for the establishment and use and clearer rules on the principles that they must contain and consequences with regard to lawfulness of data processing, liabilities, and related issues. Codes of Conduct declared by the Commission to be in line with the Regulation shall confer enforceable rights to data subjects. The certification seals must set out the formal procedure for the issuance and withdrawal of the seal and they must ensure compliance with data protection principles and data subject rights (Articles 38, 39).
The Regulation should also ensure a unified working framework for all Data Protection Authorities (DPAs). In order to function, a crucial element is that DPAs, who must be completely independent, need to be sufficiently resourced for the effective performance of their tasks (Article 47). Cooperation between DPAs will also be strengthened in the context of a European Data Protection Board (EPDP, which will replace the current “Article 29 Working Party”). The rapporteur views the foreseen cooperation and consistency mechanism among national DPAs as a huge step towards a coherent application of data protection legislation across the EU. The model proposed by the Commission however does not ensure the necessary independence of DPAs. After having assessed different options, an alternative mechanism is proposed which maintains the idea of a lead DPA, but also relies on close cooperation between DPAs to ensure consistency (Articles 51, 55a). In substance, a DPA is competent to supervise processing operations within its territory or affecting data subjects resident in its territory. In the case of processing activities of a controller or processor established on more than one Member State or affecting data subjects in several Member States, the DPA of the main establishment will be the lead authority acting as single contact point for the controller or the processor (one-stop shop). The lead authority shall ensure coordination with involved authorities and consult the other authorities before adopting a measure. The EDPB shall designate the lead authority in cases it is unclear or the DPAs do not agree. Where a DPA involved in a case does not agree with the draft measure proposed by the lead authority, the EDPB shall issue an opinion. If the lead authority does not intend to follow this opinion, it shall inform the EDPB and provide a reasoned opinion. The EDPB may adopt a final decision, by a qualified majority, legally binding upon the supervisory authority. This decision can be subject to judicial review (Articles 45a, 55, 58). The Commission may also challenge this decision before the EU Court of Justice and request the suspension of the measure (Article 61a).
The rapporteur supports the strengthening of the DPAs as regards investigative powers and sanctions. The Commission’s proposal was however too prescriptive. He proposes a simplified regime which allows DPAs more discretion whilst at the same time entrusting the EDPD with the role of ensuring consistency in enforcement (Article 52, 53, 78, 79). The system of sanctions is also clarified by including several criteria that must be taking into account in order to determine the level of the fine that a DPA may impose.
Strengthening the global dimension
As hitherto, the Commission’s power to adopt decisions recognising the adequacy or the non-adequacy of a third country, a territory of a third country, and international organisations is maintained. The proposed new option of recognising sectors in third countries as adequate is rejected by the rapporteur, however, as it would increase legal uncertainty and undermine the Union’s goal of a harmonised and coherent international data protection framework. The criteria for assessing the adequacy of a third country are strengthened (Article 41(2). It is also proposed that the adequacy finding declared by the Commission is made by means of a delegated act instead an implementing act, so as to enable the Council and the Parliament to make use of their right of control (Article 41(3) and (5)).
In the absence of an adequacy decision, to provide adequate protections and safeguards, the controller or processor should take appropriate safeguards measures such as binding corporate rules, standard data protection clauses adopted by the Commission or by a supervisory authority. Amendment in Articles 41(1a) and 42 clarify and detail the essential safeguards that these instruments should contain.
A new article 43a is proposed to address the issue raised by access requests by public authorities or courts in third countries to personal data stored and processed in the EU. The transfer should only be granted by the data protection authority after verifying that the transfer complies with the Regulation and in particular with Article 44(1)(d) or (e). This situation will become even more important with the growth of cloud computing and needs to be addressed here.
Foto: La Vicepresidenta Reding presentant la propostde paquet regulador de la protecció de dades, ara fa un any, quan va començar tot el procés. Font: EC.