ICO shares industry concerns over European Parliament amendments to Draft Data Protection Regulation | DMA

Filter By

Show All
X

Connect to

X

ICO shares industry concerns over European Parliament amendments to Draft Data Protection Regulation

The definition of personal data, consent, children, standardised privacy notices, right to object, profiling, data breach notification and sanctions – these are just some of the key areas of concern for the Information Commissioner’s Office (ICO) and the direct marketing industry alike in the European Parliament’s amendments to the Draft Data Protection Regulation. The ICO’s views are set out in Proposed draft EU General Data Protection and ‘law enforcement’ Directive.

The ICO document sets out a comparative analysis of the original European Commission text published in January 2012 and the amendments contained in the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) Report published in October 2013:

1. Definition of personal data
The LIBE amendments to this definition will widen the scope of personal data too much. For example, it would include personal information from which there is a mere possibility of identifying a person in the definition of personal data.

2. Consent
Where the processing of personal information is relatively low risk and obtaining an individual’s consent is impossible or disproportionately difficult to obtain, there should be alternatives for organisations to be able to legally process personal information other than obtaining the individual’s consent such as the legitimate interests of organisations.

3. Children
Children below the age of 13 should be able to use low-risk and simply presented services that they understand and want to use. (The ICO has always had reservations about provisions relating specifically to children because of the uncertain relationship between age and mental capacity and the range of services online.)

4. Standardised privacy notices
The prescriptive nature of the standard notices in the LIBE amendments could be counter-productive as the result will be longer, more detailed privacy notices. This will mean that even fewer individuals will be inclined to read them.

5. Individual’s right to object to the processing of their personal information
Giving the individual the absolute right to object to the processing of their personal information (including where the legal basis for the processing is the legitimate interests of the data controller) is too sweeping and removes the balance between the data controller’s and individual’s rights.

6. Profiling
The LIBE amendments fail to recognise that there are different types of profiling with different privacy impacts on individuals. The ICO has always taken the view that the provisions dealing with profiling in the draft regulation have been too broad-brush. The individual’s protection against different types of profiling should be proportionate to the privacy risks of each one.

7. Data security breach notification
The ICO supports LIBE’s amendments replacing the Commission’s original proposal – that an organisation should notify individuals and the relevant national data protection authority within a specified time period – with a requirement that the notification should be without undue delay. This reflects that some data security breaches may be more complex and will therefore require organisations to identify the nature of the breach and which individuals have been affected.

8. Sanctions/fines
The ICO welcomes LIBE’s proposed revision, as it would enable national data protection authorities to relate the level of the fine to the risk posed by an organisation’s non-compliance with the requirement of the Regulation.

Update on the Justice and Home Affairs Ministers consideration of the draft regulation
The DMA understands that the Greek Government, which currently hold the Presidency of the Council of Ministers, has scheduled several meetings of the Justice and Home Affairs Ministers Working Group on the draft Regulation. The Working Group is looking at several issues and recently looked at profiling. The next Ministerial level meeting is at the beginning of March and will focus on four issues: pseudonymous data, data portability, profiling and the data controller/processor relationship. The Greek Presidency is still hoping for the Council of Ministers to reach agreement on the Council revised text at the Ministerial Level meeting in June.

Meanwhile, all the Members of the European Parliament will have the opportunity to in principle vote and adopt the LIBE amendments to the draft Regulation on 12 March 2014.

It is therefore likely that there will be three different versions of the draft Regulation by the summer: the European Commission original text from January 2012; the text as amended by the European Parliament; and the text as amended by the Council of Ministers. Three-way negotiations (trilogue) involving all the institutions are likely to start in the late summer and it is just possible that the Regulation could be agreed in Brussels by the target of the end of this year If this happens then the new Regulation will come into effect by the end of 2016.

James Milligan, Solicitor, DMA

Hear more from the DMA

Please login to comment.

Comments

Related Articles

This article is written by MBA Group Ltd.

priscilla-du-preez-tAnrp8P51tY-unsplash.jpg

As abandoned baskets reach the highest levels in a decade, how can you make sure your customers successfully checkout?

hero-man-thinking-about-making-a-purchase.webp
As Black Friday approaches, marketers face pressure to captivate customers. The '23 season showed how brands use real-time data, AI, and dynamic content to tailor their messaging and boost engagement. Learn from them to shape your strategy.
iStock-1661657038.jpg

Telemarketing continues to hold a significant place in the marketing strategies of many businesses, despite a relentless wave of digital transformation. Contrary to common misconceptions, telemarketing is not an obsolete tactic.

Depositphotos_103113358_S (1).jpg