Share this content

Proposed EU data regulations divide opinion

15th Jun 2015
Share this content

The European Commission, Parliament and Council have agreed to a trilogue on the 24th June with the aim to create new data legislation that spans across all 28 of Europe’s member states.

Once the trilogue is underway, the legislation is set to be passed as a regulation rather than a directive, meaning no European countries would be able to reinterpret the rules to fit their own legal system.   

The new rules, as currently outlined, would mean changes to the way personal data can be collected by global businesses.

One particular clause, which would allow users to sue businesses who ‘process’ data, has been met with fierce criticism from Cloud providers including Amazon and IBM.

Under the laws, companies offering remote storing and processing of data on servers would classify as "processors" since they do not collect the data themselves and would therefore be in breach of the rules. Some of the globe’s leading tech players believe this would essentially “kill off” the Cloud Computing industry, including leading CRM players like Salesforce.    

However, Monique Goyens, director general of the European Consumer Organisation was resolute in defending the new proposals, saying: “EU laws are now lagging behind the pace of technologies and business practices. Our personal data is collected, then used and transferred in ways which most consumers are oblivious to. An appropriate update must put control of personal data back in the hands of European consumers.”

“This new regulation is the opportunity to close gaps, ensure robust standards and stipulate that EU laws apply to all businesses operating here.”

And the Direct Marketing Association (DMA) released a statement in which it praised five ‘positive’ steps forward in the regulations, if they are made up of the expected components of the Commission, Parliament and Council trilogue:

Definition of Personal Data: “The Justice and Home Affairs Council definition is preferable to the European Parliament’s one as in the Council definition online identifiers are only personal data if they can be linked to an individual. In the Parliament version of the text all online identifiers were personal data regardless of whether they could be linked back to an individual.”

Consent: “The Council text is preferred. Both other texts refer to explicit consent, whereas the Council text has removed the word 'explicit'.”

Legitimate Interest: “The Council text makes it clear that organisations can process personal information based on their legitimate interests provided they respect the rights of individuals in particular children and certain other caveats. This is much better that the Parliament text which gave a strong emphasis that processing based on legitimate interests was inferior to getting the individual’s consent. In the Parliament version of the text, Legitimate Interest including specific clauses for B2B marketing and postal direct marketing only. However, the new Council text includes the following: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest," which is broader.”

Automated Decision Making and Profiling: “The Council have gone back to a definition of automated decision making (including profiling) which only applies where the decision is based solely on automated processing. If there is any review of the automated decision by a individual then this wall fall outside the definition of an automated decision. This is much more similar to the current definition in the 1995 Directive/Data Protection Act 1998 than the Parliament’s version.”

Right To Be Forgotten: “Once again, the Council text seems preferable. The Parliament text reads that subjects should have the right to obtain erasure, "when a data subject objects to the processing of personal data". The Council text adds the words, "and there are no overriding legitimate grounds", which is preferred.”

The DMA appears to be one of few organisations to approach the proposed law changes with such positivity, however. Privacy International, EDRi, Access and Panoptykon Foundation drafted a statement in The Register that said that, “some of the Council's proposals gut data protection of all meaning. For example, the Council suggests that internet browser settings (failing to change the default to prevent tracking) could constitute consent for being tracked and profiled online”.

It went on to add that, “this is at odds with the European Commission's original draft, which required “explicit consent” for tracking”.

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.