24 January, 2013
Interview with Jan Albrecht, MEP
To mark the forthcoming European Data Protection Day, ETNO Digital publishes an interview with Jan Philipp ALBRECHT, MEP, Member Group of the Greens/European Free Alliance and lead Rapporteur on the Commission’s draft Proposal for a General Data Protection Regulation. His Report will be voted in the LIBE Committee in April.
- Can you describe the Parliamentary review process for the draft Data Protection Regulation – expected timing, co-operation with other Committees and consultations with the Commission and Council? How optimistic are you that we will complete the process this summer?
After the proposal by the European Commission has been made in January 2012 Parliament and Council started to scrutinize the text and discuss changes. In the European Parliament I now have proposed a draft report based on an extended exchange with all political groups and stakeholders. Until end of February all groups can now pose amendments to this proposal which should be voted until end of April. After that the negotiations with the Council could start. A common position should be found until end of this year to reach the common aim of adopting the new regulation before the European Elections 2014.
- Given the broad scope and applicability of the Data Protection Regulation to many sectors and the intense interest in this legislative measure, how do you manage the consultation process with external stakeholders (including consumers) to ensure that you are getting balanced input?
As rapporteur for the issue I had hundreds of individual meetings with all sectors of stakeholders during 2012. In addition there have been a long row of hearings and even an interparliamentary meeting to bring together and exchange all views in the political process. To reach out for different perspectives from citizens and consumers I was going to debates all around Europe. We then tried to bring together the different ideas for changes and find out the most appropriate proposals. I have the feeling that we touched on almost all legitimate concerns of all sides. But still there is room for improvement as this is indeed a very complex issue touching all parts of society.
- What do you see as being the most challenging issues that you have to address in the text?
The most challenging issue is the question how to ensure foresee-ability for citizens and consumers about the more and more complex way of data processing. People have to be put into a position where they can take an informed decision and oversee the consequences of highly technical issues. That is quite a challenge. We therefore put the consent of people in to the center and reach out for more transparency on the logic behind what is done with their personal information. And of course we have still reach as much legal certainty as possible while at the same time assure technical neutral provisions.
- Finding the right balance between adequate consumer protection and potential for business innovation is clearly a key issue in this review. How can we ensure that enough scope is being left to businesses to allow them to innovate? Eg your recent Report on the draft Regulation retained the need for “explicit consent” (which implies tick-boxing and repeated actions) while other Rapporteurs have reflected the possibility of a context based consent which we feel may be more appropriate.
The data protection regulation is a huge benefit for business innovation. We reduce the administrative burden dramatically by introducing a single legal framework for the whole European market with a consistent application of data protection authorities who – with this regulation – will serve as single contact points. Having said this, the European Parliament and the Council are also implementing a fundamental right on data protection. To create trust in the processing of personal data is key for growth and innovation. By changing the long standing principle of consent as the basis for the processing of personal data we would lose this trust. The informed decision – also about the question if data processing is harmful or harmless – has to stay with the data subject. I am convinced that this also assures a high level of competition as informed consumers can chose the best offer – also in terms of data protection.
- Through your Report you have sought to strengthen the definition of “data subject” and what constitutes personal data. This will have significant implications for companies. Can you describe what was behind that reasoning?
Our clarification on the definition of “data subject” is following the judgements of the European Court of Justice on the existing definitions in the data protection directive from 1995 and respecting the specific developments with regard to pseudonym-based processing. It is quite clear that pseudonym-based information becomes personal data if I can be singled out individually. Having said this I also defined in accordance with this a definition for pseudonym-based data. For those personal data the regulation now foresees incentives like the possibility for technical standards which can allow for a more simple way of giving consent in the online environment, for example with the so called “Do not track” browser settings. In addition I clarified that those information not covered by the definition of “personal data” are to be seen as anonymous information and not covered by the regulation. I am convinced that there is a huge potential for services and new innovation by just using anonymous information.
- Much has been written about the territorial scope of the Regulation and the need to ensure that those that are directing services to European subjects are caught by the Regulation – how do you see this being achieved in practical terms?
The territorial approach of the Regulation is something which isn’t new. We have the same in many market and competition rules in Europe. In a globalized environment – and the digital world is per se global – every regulator should set the rules on a democratic decision for its own citizens and market. For the Europeans it is very important that they can trust in the application of European law if they are in Europe and buy products and services on their market or if they are monitored by somebody. That is what we are doing with the Regulation. We therefore also give an important impulse on working out common data protection standards on the global level to avoid legal conflicts in those cases where there are overlaps or grey zones in finding the applicable jurisdictions. But it is clear that until we reached this, the burden of dealing with different jurisdictions should be on court than on the citizens and consumers.
- In your Report, “legitimate business purposes” can be used as a legal basis for data processing if none of the other legal grounds apply, and the data controller will need to explicitly inform the data subject. However, in the UK for example, there is widespread reliance on “legitimate interests” of the data controller to allow for the use of data rather than “consent”. What are your thoughts about this important aspect?
Today the huge majority of data processing is taking place without the consent of the data subject. This never has been the starting point of data protection rules in Europe and consumers have a completely different perception. When the data protection directive was passed in 1995 it was clear that the rule for data processing would be the consent and the exception would be the legitimate interest of the controller. It was meant to allow data processing without the consent of the data subject where the consent would not be expected to be given but the vital interests of the controller overrule the rights of the data subject. With our proposals for the data protection Regulation we clarified this while assuring that all legitimate concerns of business to process personal data without the consent of the data subject are respected. If any of those concerns are not properly addressed I am very open to discuss this. But it has to be clear, that the interest of citizens and consumers have to be respected and that this conflict of interests cannot be solved only in favour of those doing business with the personal data of others.
Ph. Fritz Schumann