Brussels, 06/03/2015 (Agence Europe) - Several associations representing internet users, including European Digital Rights (EDRi), warned the member states on Tuesday 3 March against their being tempted to reduce the level of protection for citizens' personal data.
With EU justice ministers, meeting in Brussels on 13 March, due, in principle, to agree on Chapter 2 of the general regulation of the reform that relates to the main principles, such as the consent of internet users and the obligations of data protection officers, as well as the so-called one-stop-shop mechanism, EDRi has accused the member states of watering down every part of the regulation and making the new rules presented by Viviane Reding in January 2012 “an empty shell”. The January 2012 proposal says that the consent of users must be “explicit”. In the latest texts, notably a compromise of 4 March put to the Coreper (the committee of the permanent representatives of the member states to the EU) the following day, the member states spoke of “unambiguous” consent. The associations are concerned, too, that the consent given by users could be used for purposes other than that for which it was initially given. They are also critical of a “legitimate interests” clause that would allow data officers to send personal details to other companies in the same group.
“To say that the member states are drastically cutting back on the level of protection is not fair”, according to a European source who says that users will be provided with the information needed. The 4 March text states that consent “should be given unambiguously by any appropriate method” enabling a freely-given, specific and informed indication of the data subject's wishes, by a written statement, including electronic format, by an oral statement or, if required by specific circumstances, by any other clear affirmative action by the data subject signifying his or her agreement to personal data relating to him or her being processed. This could include ticking a box when visiting an internet website, says the compromise text which was given quite a warm reception on Thursday 5 March. Silence or inactivity should therefore not constitute consent, the text states. France, Poland and the Commission expressed reservations on the shift from “explicit” to “unambiguous” and await further definitions on the notion of consent, notes the document.
With regard to consent for multiple purposes, the same source says that consent will be required if the purposes of the processing activities change but need not be given for a similar processing activity. However, consent may be given once and for all to facilitate scientific research. Here again, there are provisions that necessitate the consent of the person for certain research projects. The member states highlight, however, the importance of not increasing bureaucracy for the data protection officers. As for the legitimate interest clause, it would seem that no consent is required, either from the client or from employees, for a company data protection officer to be able to send personal details to another company in the same group. The compromise attempts to set out these legitimate circumstances, for example, to prevent fraud. Some delegations expressed concern at the notion of legitimate interests: Austria said in a note that it found it insufficient to make the processing of personal data by the data protection officer legal. (The provisions for the transfer of data to a company in a non-EU country are governed by a separate chapter of the regulation.)
Others find efforts relatively “balanced”
In general terms, the purposes of the processing of personal data will have to be set out clearly, transparently and explicitly by those who use and request these data, the text states. According to the source close to the matter, specific provisions also protect sensitive data, such as those that allow skin colour or ethnic origin to be known. These sensitive data should, as a general rule, only be used in very specific cases, for example, to construct “ethnic statistics” (France would like additional rules on reasons for processing of statistics in Chapter 3). In this latter instance, people concerned should have to give “explicit” consent, the document says. A derogation is, however, available for the use of sensitive data, health data, for example, when there is a risk to public order and safety (contagious diseases, for instance). The Council source says that, while the Council does not make the protection of personal data an absolute right, a balance is nonetheless struck between the rights of individuals and the needs of companies and administrations. During the course of the discussions, the United Kingdom made a number of remarks on the additional administrative burden that some obligations could engender, the document states.
One-stop-shop - compromise in sight
Finally, on the so-called one-stop-shop mechanism, it was an approach more protective of citizens that prevailed at the Coreper on Thursday 5 March. The member states did not go with the idea of triggering reference to the future European Data Protection Board in the event of a dispute over a decision taken by a national authority, on the basis of a quantitative threshold. Contrary to the wishes of, notably, Ireland, which will be first in the firing line in the event of cases around Facebook and Google, it will be sufficient that a single national regulator be in disagreement for recourse to the Board to be available. Ireland sees in this a loss of power for its regulator. For others, however, it provides the guarantee that their national regulators will not be ignored. (Solenn Paulic)