EDPS: Enormous energy put into reforming data protection rules must deliver strong and effective protection for EU citizens
Last week, the EDPS sent additional comments on the reform of the EU rules governing data protection to the European Parliament, the Commission and the Council in view of today's debate on the subject in the Civil Liberties, Justice and Home Affairs Committee (LIBE). These comments relate to specific areas that require clarification and are a reaction to a number of amendments proposed by various Parliament committees, including LIBE.
Peter Hustinx, EDPS, says: "As a society, we are increasingly reliant on technology that processes huge amounts of our personal information. Electronic surveillance is commonplace with profiling and "big data" putting our privacy under strain. The reform of the data protection framework is a momentous opportunity to redress the balance and guarantee this fundamental right for all EU citizens for generations to come. It is vital that the outcome of the negotiations in the European Parliament and the Council is a reform package that delivers a high level of data protection."
In our daily lives, we often share personal information with others: whether through loyalty cards, filling in a hotel form or a job application, or perhaps taking part in clinical trials. Online data sharing is pervasive on e-commerce sites, social networks and in mobile apps, via PCs, but also smart phone tablets. Big data companies are able to mine information about us from a variety of on and off line sources, correlate it and often make money on the profiles that can be built from this information.
Faced with complex, pervasive and 'always on' technology, EU citizens should be able to control the manner in which their personal information is used. This is why the EDPS urges that the definition of explicit consent - in other words clear and unambiguous permission from the individual over the use of his or her personal information - be maintained as one of the cornerstones of the data protection framework.
In addition, the enormous computing power applied to increasing amounts of data from various sources make it harder to ensure that the means supposed to anonymise data or disguise a person's identity (such as pseudonyms) are really effective. Any definition of anonymous data or pseudonymous data should be fully consistent with the definition of personal data, and should not lead to unduly removing certain categories of data from the scope of the data protection framework. In particular, it should be kept in mind that pseudonymised data remains personal data and as such should be protected.
The EDPS' comments also address other aspects of the new data protection framework. In conclusion, the EDPS warns the EU legislator to guard against undue pressure from industry to lower the level of data protection that currently exists, and instead to seize the opportunity to offer stronger and more effective protection to citizens across the EU.
Background information
EU Data Protection Reform package: on 25 January 2012, the Commission adopted its reform package, comprising two legislative proposals: a general Regulation on data protection and a specific Directive on data protection in the area of police and justice. On 7 March 2012, the EDPS adopted an opinion elaborating his position on both proposals. The two proposals have been discussed extensively in the European Parliament and the Council and have attracted the attention of many public and private stakeholders. The lobbying surrounding the legislative process has been exceptional.
Personal data: any information relating to an identified or identifiable natural person. Examples include names, dates of birth, photographs, e-mail addresses and telephone numbers. Other details such as health data, data used for evaluation purposes and traffic data on the use of telephone, email or internet are also considered personal data.
Pseudonymised data is by definition data relating to an identifiable individual, as the connection between the pseudonym and the identifying data (e.g. first and last names, address etc.) is available, either to the collecting organisation or to a third party. Even if the pseudonym and its correlation with the identity are exclusively known to one given party (whether the controller or a trusted third party) and are not shared with anyone, pseudonymised data remains personal data.