Recently Jan Philipp Albrecht, rapporteur for the Civil Liberties, Justice and Home Affairs (LIBE) Committee, the lead committee considering the proposed draft General Data Protection Regulation, published the committee’s suggested amendments to the original draft regulation. The reports runs to over 200 pages and contains over 350 separate amendments.
Since the original draft regulation was published in January of last year, businesses, industry bodies and regulators have been lobbying the European Commission, Council and Parliament to try and change some of the more onerous provisions and eliminate unnecessary burdens on organisations.
We have blogged previously about the need for a “risk based” approach that does not impose onerous controls on all businesses but instead looks at the risk posed by the data processing in question. Whilst the Council recognizes that the proposal of the European Commission needs to be amended to lower the burden on companies, the amendments do little to address those concerns.
Amendments lowering the burden on industry using the “risk based approach” are few and far between, however, one positive example is the change in the threshold which triggers the requirement to appoint a data protection officer. The amendments suggest the requirement is triggered if an organisation processes the data of more than 500 data subjects; opposed to DPO being required if an organisation has more than 250 employees irrespective of the activities of the company.
The report does not, however, consider the concerns raised by businesses in relation to other significant areas. For example, the amendments further narrow the grounds that can be relied on to satisfy the legal basis required to process personal data in the first place – they significantly curtail the right to process personal data based on the legitimate interests ground, forcing companies to gain consent in areas where none is currently required. In addition, Albrecht would further increase the already very high standard for obtaining valid consent to a level that is arguably impracticable and unnecessary including eliminating the ability of businesses to use any type of default option that needs modifying by the user (e.g. the infamous pre-checked box). The amendments also state that businesses in a dominant market position may not be able to seek valid consent due to the imbalance of power between user and data controller, nor can consent be valid where unilateral changes are made to terms and conditions and the only option is for a user to cease using the service where a user has invested time in such resource. These changes, which would apply across the board, could impose serious roadblocks to business and take no account of the inherent risk of the underlying processing.
There are significant changes to the export rules which require the review of the current approved methods of export (e.g. the white list countries, US Safe Harbor and the Model Clauses) within two years of the date the regulation comes into force, at which time the existing methods will otherwise become invalid. There is also a sense of de-ja-vu as the prohibition on businesses providing data in response to requests from overseas government bodies without the relevant treaty having being followed or express regulatory approval is re-introduced. This prohibition appeared in the initial leaked drafts of the proposed Regulation but was removed by the time the official draft was issued partly due to pressure from the US arguing that this would inhibit international law enforcement and was not in the public interest.
The amendments suggested expand the Regulation’s extra-territorial application to any business monitoring EU residents (rather than just those that monitor their behaviour) as well as making clear the rules apply to any business offering products and services to EU residents, even if such goods or services are free. Of course, this will only work if there is a realistic prospect of enforcement against overseas companies, which requires the overseas regulators to be on board.
It is not all bad news for businesses though, there are some positives such as the time limit for reporting data breaches being extended to 72 hours, removal of a number of areas in which delegated acts could be made which gave the Commission the right to further change the rules (which should provide greater certainty in some areas) and further curtailments to the much debated right to be forgotten.
Still, all in all the proposal is a significant setback for business and drives yet another wedge between the US and EU on these issues, which–if the amendments are adopted–will make it harder for businesses to roll out a consistent business model and less likely that the US authorities will assist the EU in enforcement negating the practical effect of the extra-territorial jurisdiction.