The Cyprus Presidency of the Council of the European Union presented Member States with a revised compromise proposal on the simplification package for the European rules relating to the General Data Protection Regulation (GDPR), at the meeting of the Antici Group on Simplification (AGS), on Wednesday 27 May. This proposal forms part of the simplification package for digital legislation (‘Digital Omnibus’) presented by the European Commission last November, which allows broader use of personal data in the name of “the urgency of restoring Europe’s competitiveness” (see EUROPE 13755/4).
The revised proposal, seen by Agence Europe, introduces new Recitals 27(a) and 27(b) concerning the opinion that the European Data Protection Board (EDPB) should publish on pseudonymisation. A new Article 29 provides that the Chair of the Board will request this opinion no later than 12 months after the Regulation enters into force, while Article 70 adds that this opinion must also establish a list of situations in which processing is unlikely to result in a high risk.
As regards the derogations from the prohibition on processing special categories of data provided for in Article 9 of the GDPR, the new document specifies that, in the context of the development of artificial intelligence systems or models, this derogation should not cover data collected through ‘prompts’. If erasure of these data proves impossible or requires disproportionate efforts, such as re-engineering the AI system or model, the controller will have to protect this data “against any further processing or any processing for other purposes”.
The text further specifies that the processing of biometric data for identity verification purposes should be used only where necessary and proportionate and subject to appropriate safeguards. This means in particular that the data subject must be able to decide when and how their biometric data are used for verification purposes, without the controller having the technical capacity to access this data in decrypted form. The data subject should also be able to delete their biometric data securely at any time.
As regards the derogation from the obligation to inform the data subject when their data is processed, provided for in Article 13 of the GDPR, the new compromise text clarifies that it does not apply “in the field of employment or in relations with public authorities, public bodies or private entities carrying out a task in the public interest”.
Recital 38 now also specifies that individuals have the right not to be subject to automated processing of their data, except under certain specific conditions.
Responsibilities are clarified further in Recital 39 of the new text. Controllers remain solely responsible for determining the purposes and means of the processing and for complying with the corresponding obligations, while processors will have to ensure that ‘privacy by design’ and by default is applied to their processing offers and services.
For audience measurement purposes, the text specifies that aggregated information must not be linked to an identifiable data subject and must remain anonymous. The data collected may not be reused for other purposes, nor combined with data from other services, such as analytical information from other websites or applications, nor shared with third parties.
As regards consent, the controller will have to respect the refusal of a consent request for a minimum period of six months. Recital 45 specifies that “this obligation applies to any controller that accesses personal data stored in the terminal equipment of the data subject or (whomever) stores such data there, including providers of third-party cookies”.
A new Recital 46(a) also specifies that technical solutions will have to prevent self-preferencing practices.
Another important development concerns the clarification that Member States will be responsible for setting up national entry points allowing entities to report incidents (new Article 23(b)), rather than a single entry point, while Article 23(c) further specifies that ENISA will draw up guidelines aimed at promoting the harmonisation of incident notifications. (Original version in French by Ana Pisonero Hernández)