Brussels, 17/06/2015 (Agence Europe) - The Justice Ministers' compromise obtained on Monday 15 June on the general regulation reforming European personal data protection rules has provoked mixed responses that veer between concern and a feeling that ministers have agreed to a good text.
The European Digital Rights (EDRi) organisation was one of the most concerned bodies and said in a press release that private life and data protection are “in danger” due to this agreement. It considers that key reform elements have been revised downwards, such as the rules on notifications of breaches of confidentiality, the “privacy by design” concept and profiling, on which it claims the provisions remain too vague.
The EDRi also thinks that we are a long way from harmonisation with the “48 exceptions” in the Council position, “where member states can do what they like”. The association particularly regrets the scope chosen and the possibility of withdrawing data later for goals that were not the subject of citizens' initial consent. This is one aspect of the reform that is also causing concern to many member states.
The compromise is also shifting from a “minimisation of data” principle to one of “non-excessive data” processing, which suggests that more data could be processed by the supervisors. The legal motives on the basis of which data processing can be carried out (6 criteria) still remains too vague, according to the EDRi. The notion of “legitimate interests” implies that data can be processed without necessarily obtaining the consent of users and is, in this connection, much too vague and biased towards corporate concerns. The EDRi also has difficulties with the means of appeal that citizens have when data is transferred to non-EU countries.
The European Small Business Alliance (ESBA) believes that the ministerial text is welcome but in a press release explains that it still has a number of concerns. The ESBA would like greater clarity on the derogations for small and micro enterprises such as on the issue of not having to employ data supervisors. The Commission considers that if these companies are not engaged in activities that involved data processing, they should be exempt from this requirement but the European Parliament has undermined this provision, explains the ESBA and the Council compromise therefore remains vague.
The text stipulates that SMEs will not have to register their data processing activities unless the processing is likely to lead to a high risk to the rights and freedoms of the individuals concerned. Although the ESBA “supports this fair provision”, the document does not, however, explain whether these companies will have to employ a data supervisor or not. This ambiguity creates legal uncertainty for SMEs and according to the ESBA, this could possibly lead to disputes arising.
Mobile telephone and communications organisations, the GSMA and ETNO, however, were more positive and welcomed the general approach from the ministers. They welcomed the fact that the rules would be the same for all companies and that this would benefit all consumers. The two organisations, however, want to keep the “E-privacy” directive aligned on this regulation and want the legislator to abrogate this 2002 directive and develop it through amendments to the data protection regulation, rather than getting involved in another new lengthy revision undertaking. (Solenn Paulic)