EP resolution on data protection
Context
This Resolution is an own-initiative report prompted by the publication, early November 2010, of the Commission’s Communication announcing plans to review the Data Protection Framework, currently regulated by the 1995 General Data Protection Directive. The EP traditionally adopts non-binding resolutions on major official announcements of the European Commission in order to share its views.
Introduced by the Commissioner for Justice, Citizenship and Fundamental Rights, Viviane Reding, who will lead the revision process, the Commission’s Communication outlined a series of suggestions to improve the data protection framework:
- The concept of personal data: The concept of “personal data” will be reviewed to take into account the impact of new technologies.
- Increasing transparency for data subjects: The Commission will consider introducing a general principle of transparent processing of personal data in the legal framework, as well as drawing up one or more EU standard forms (‘privacy information notices’) to be used by data controllers.
- Protecting children: the Commission will consider introducing specific obligations for data controllers on the type of information to be provided and on the modalities for providing it, including in relation to children. Currently, there are no child-specific provisions in EU data protection legislation.
- Ensuring free and informed consent: the Commission will examine ways of clarifying and strengthening the rules on consent.
- Encouraging self-regulatory initiatives: the Commissions considers that self-regulatory initiatives can contribute to a better enforcement of data protection rules, including Codes of Conduct, which are seldom being used in this context and are not considered satisfactory by private stakeholders.
The Voss Report
The EP report was prepared by German Conservative Axel Voss, a member of the European People’s Party, who sits on the Committee for Civil Liberties (LIBE). The LIBE Committee collaborated with several other Committees who adopted Opinions which were incorporated into the main committee’s report. The committees included the Committee for Culture and Education (CULT) and the Committee for Industry, Research and Energy (ITRE), the Committee for Internal Market and Consumer Protection (IMCO), and the Legal Affairs Committee (JURI).
After several months of debates and a broad cooperation between committees and the various authors of reports and opinions – a sign of enhanced political collaboration – the lead Committee LIBE adopted a draft report which was approved with no new amendments by a majority of members present in Strasbourg today.
The EP Resolution
The EP Resolution adopted today makes the following points:
Online Behavioural Advertising
- Abuses stemming from online behavioural targeting are worrying and prior explicit consent of the person concerned is required for the display of cookies and for further monitoring of web browsing behaviour for the purpose of delivering personalised advertisements;
- Advertising agencies and publishers should clearly inform internet users in advance about the collection of any data relating to them.
Children’s data must be handled with particular care
- Particular attention should be given to the collection and processing of children’s data, who should be protected against behavioural advertising;
- Consideration should be given to an age threshold for children below which parental consent is sought and to age verification mechanisms.
Prior Consent required for data collection
- Consent should be considered valid only when it is unambiguous, informed, freely given, specific and explicit and adequate mechanisms to record users' consent or revocation of consent must be implemented.
The risk of profiling
- The collection, analysis, exchange and misuse of data and the risk of ‘profiling’, stimulated by technical developments, have reached unprecedented dimensions and consequently necessitate strong data protection rules.
Privacy by design is required
- ‘Privacy by design’ should be based on the principle of data minimisation, meaning that all products, services and systems should be built in such a way as to collect, use and transmit only the personal data absolutely necessary for them to function;
- A technologically neutral approach should be maintained.
Self-Regulation is welcomed but not sufficient
- Self-regulatory initiatives and the reflection on setting up of voluntary EU certification schemes should be further advanced as complementary steps to legislative measures while maintaining an EU data protection regime based on legislation ensuring a high level of protection;
- The Commission should carry out an impact assessment of self-regulatory initiatives as tools for better enforcement of data protection rules.
The case for enhanced harmonization and transparency
- Full harmonisation should be kept at the highest level providing legal certainty and a uniform high level standard of protection of individuals in all circumstances;
- The Commission should improve the implementation of transparency, data minimisation and purpose limitation, data breach notification and the data subjects’ rights;
- The EP fully supports the introduction of a general transparency principle, as well as the use of transparency enhancing technologies and the development of standard privacy notices enabling individuals to exercise control over their own data.
Users must have access to information
- Information on data processing must be provided in a clear and plain language and in a manner that is easily understandable and accessible;
- The right to access includes not only full access to the data processed about oneself including its source and recipients, but also intelligible information about the logic involved in any automatic processing;
Users have the right to be forgotten
- The 'right to be forgotten' should be clearly identified.
