DLA Piper lawyers had the opportunity to review the European Parliament draft report on the Data Protection Regulation proposal that will be presented by Rapporteur Albrecht to the European Parliament on 10 January 2013. The proposed legislative changes would impose significant additional requirements on entities that collect data about EU residents, including, notably, entities located outside of the EU.
The rapporteur of the European Parliament (“EP”), Mr Albrecht has proposed a number of significant changes to the draft Regulation, including:
- Territorial scope: By changing the wording of the article on territorial scope (change from “monitoring behavior” to “monitoring”), the EP seeks to expand the Regulation’s scope to any controller established outside the EU that is collecting and processing personal data (i.e. monitoring) of EU residents. The rapporteur explains: “The Regulation should cover not only the monitoring of the behaviour of Union residents by data controllers outside of the Union, such as through internet tracking, but all collection and processing of personal data about Union residents.“
- Profiling: A definition of profiling has been introduced, broadening the concept to any kind of analysis of the habits of an individual. The previous proposal is limited to “producing legal effects.” Furthermore, when the legal basis for profiling is based on performance of a contract, the profiling must be “necessary” and not simply “Carried out in the course of entering into a contract.” The use of sensitive data in profiling activities is being prohibited by replacing the words “profiling shall not be based ‘solely’ on sensitive data” with “shall not include or generate any sensitive data.”
- Privacy by Design and by Default – Extension to Producer: A new term — “Producer” — has been introduced to refer to producers of automated data processing systems (i.e. hard- and software). The rapporteur explains Producers: “…should also take into account the principle of privacy by design and by default, even if they do not process personal data themselves. This is especially relevant for widely- used standard applications, but also should be respected for niche products.“
- Personal data breach: The original Commission proposal limited the definition of “personal data breach” by linking it to “a breach of security” leading to the loss of data. The EP broadens the scope by taking out the security breach requirement: “A data breach can also occur without a security breach, e.g. by accidental loss or disclosure“.
- Obligation to appoint a DP Officer: The original Commission proposal only required companies employing more than 250 employees to appoint a Data Protection Officer. The EP proposes to use a different criterion, i.e. the ‘processing of personal data relating to fewer than 500 data subjects per year.” The rapporteur explains that “In the age of cloud computing, where even very small controllers can process large amounts of data through online services, the threshold for the mandatory designation of a data protection officer should not be based on the size of the enterprise, but rather on the relevance of data processing. This includes the categories of personal data processed, the type of processing activity, and the number of individuals whose data are processed.“