Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015

Transcription

1 2 September 2015 Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 We support the efforts of EU legislators to create a harmonised data protection framework. The draft Data Protection Regulation ( Regulation ) will not only set higher standards for the protection of individuals privacy, it will also establish the same rules for all companies. Eliminating a large number of varying data protection rules will be a major step forward for companies operating cross-border. The EU institutions aim to achieve a balance between business and consumer interests. This balance should be fair and we therefore support a risk-based approach. A high level of individual protection should be balanced with adequate safeguards for businesses legitimate commercial use of personal data. One of our priorities is for a Regulation that will create fair and reasonable rules for all companies processing personal data. The Regulation should therefore be appropriate for all types of business models and avoid imposing disproportionate obligations on companies that process data as a subsidiary activity to their main business. Below we focus on the most important issues from retail and wholesale perspective. Full Harmonisation We hope that the original aim of creating a fully harmonised data protection framework will not be abandoned. The number of provisions that allow scope for Member States to diverge in their implementation of some of the Regulation undermines true harmonisation: (collective redress independent from the data subject s mandate (Art.76.2), employment (Art.82), data protection officer (Art.35), public authorities (Art.1), etc.). If this approach is pursued, companies will still have to deal with a patchwork of rules. The original purpose of the Regulation will erode, which will seriously harm the EU s competitiveness towards third country businesses. A specific example: Establishing a compliance hotline within a global company Currently, establishing a compliance hotline across the EU is subjected to different rules and requires separate approvals/notifications. For example, while anonymous reporting is prohibited in some countries, in others it is necessary to provide an anonymous reporting channel. It often takes years to have all the group companies integrated in the same system. Even under the draft Regulation these issues would continue. The Regulation leaves it up to the Member States to adopt data protection rules in the employment context. This means that for example consulting the hotline with the works council would be subject to different rules across the EU.

2 Data Protection Officer (DPO) The experience of our member companies shows that qualified, independent and reasonably resourced DPOs can play a major role in ensuring a company s privacy compliance. An inhouse DPO knows the company best. Therefore, their assessment is fundamental for ensuring privacy compliance. At the same time, appointing a DPO is a non-bureaucratic approach and a cost saving solution for some companies. The rules for the appointment and the qualifications of a DPO should be the same across the EU. We are concerned that if Member States are free to decide on a mandatory or voluntary DPO appointment, this would lead to divergent standards within the EU and would result in an uneven playing field for companies operating cross-border. This would be against the spirit of the Regulation. Ideally, the DPO appointment should depend on the risks involved in the company s data processing operations and on the nature of the business (whether it is purely data-driven or whether data processing is a subsidiary activity to the main business). Therefore, the SMEs and micro-enterprises which do not process personal data as their core business (for example smaller retailers) should be exempt from appointing a DPO. If thresholds are to be set, they should not depend on the mere number of employees or consumers whose personal data are being processed but on the degree of risk attached to the processing. We therefore propose to revise Article 35 as follows: 1. The controller and the processor shall designate a data protection officer, where: (a) the processing is carried out by a public authority or body; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purpose, the number of the individuals concerned or individuals processing personal data imply regular and systematic monitoring of data subjects or high level of risk. [The text in 1(c) is based on the Commission s proposal modifications proposed by EuroCommerce.] 1a (NEW). The obligation referred to in paragraph 1 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage [The text in 1a(NEW) is new and has been proposed by EuroCommerce.] We also believe that there should be clearer incentives for appointing a DPO, such as: eliminating the need to consult a regulator in case of risky processing; or exempting group companies from putting in place data processing and transfer agreements if a DPO is appointed (group privilege). Many of our members operating internationally have experienced that signing the intra-group agreements has not automatically increased the level of data protection but rather it led to more administrative burden. In group companies any disputes arising from non-compliance are solved internally based on internal data protection policies and practices. We therefore support revising Article 34 as follows: 2. The controller or processor acting on the controller's behalf shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: [The text in bold has been already proposed by the EP. We support this proposal.] 2

3 We also support revising Article 22 as follows: 3a. The controller that appointed a data protection officer shall have the right to transmit personal data inside the EU within the group of undertakings the controller is part of, where such processing is necessary for legitimate internal administrative purposes between connected business areas of the group of undertakings and an adequate level of data protection as well as the interests of the data subjects are safeguarded by internal data protection provisions or equivalent codes of conduct as referred to in Article 38. [The text in 3a has been proposed by the EP we support this proposal and suggest additional changes in bold/italics.] Fines We support dissuasive level of fines for data protection violations. However, we are not in favour of the Regulation s approach of basing those fines on the company s global annual turnover. This approach disconnects the sanction from the actual violation. This may be good in targeting companies that process personal data as their core business. For companies processing personal data as a subsidiary activity to their main business (for example selling goods) this would be disproportionate. We think that as a rule of law, the calculation of fines should be linked primarily to a combination of: (1) the profit or the generated savings that a company made in relation to the data processing that involved the violation, and (2) the actual risk or violation to the data subjects fundamental rights, and (3) the nature of the business (purely data-driven or data processing as a subsidiary activity to the main business). In order to achieve fair and appropriate results, a company s annual turnover can only be of minor interest and if at all serve as a mere overall cap. Profiling Data analysis is crucial for the development of the commerce sector to be more effective and innovative. Profiling not only allows customers to receive offers that are relevant to their needs, rather than being bothered by mass mailings covering products they do not want. Profiling is also used to evaluate patterns of consumer behaviour to improve measures needed for fraud detection, credit evaluation, managing product safety, warranties, purchase and transportation management and product and process quality improvement. We support better privacy safeguards related to profiling. However, we think that rather than creating a right not to be subject to profiling, profiling should be allowed under certain conditions the main condition being that profiling does not result in harm to individuals. Therefore, we support a risk-based approach and requirement for explicit consent for profiling likely to cause harm. Profiling that would cause insignificant effects and of which the consumer would need to be properly informed, could be possible under other legal bases, such as legitimate interest. Consent We support the requirement of unambiguous consent for the processing of non-sensitive data. Calling for explicit consent will increase burdens for businesses and will be annoying for consumers. Obliging consumers to carry out repeated box ticking could mean that they risk ignoring important information about how their personal data are being processed. 3

4 We therefore support revising Article 6 as follows: 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given unambiguous consent to the processing of their personal data for one or more specific purposes; [The text in 1a has been revised by the Council we support this proposal.] Data portability We are concerned that a provision that was meant to address mainly user-generated data and social media could have unintended consequences for retail if interpreted too broadly. The Regulation should clarify that the right to data portability would not oblige businesses to disclose confidential business information. Any provision that would require a retailer to transfer consumer profile information into a competing retailer s system could have serious competition implications. Therefore, we support including safeguards, such as intellectual property rights. Trade secrets should also be added. We therefore propose revising Article 18 as follows: 2aa. The right referred to in paragraph 2 shall not apply, if disclosing personal data would infringe intellectual property rights or reveal trade secrets in relation to the processing of those personal data. [The text in 2aa has been proposed by the Council we support this proposal and suggest additional changes in bold/italics.] Data Protection Impact Assessment (PIA) and record keeping We are in favour of PIA as a mechanism helping companies maintain their corporate data protection responsibility but combined with a risk-based approach. This means that only certain risky processing operations should require a PIA. The fact that many individuals personal data are being processed is not risky per se. It is the nature and the consequences of the processing that matter. We are sceptical about the requirement to consult on the intended risky processing with individuals or their representatives (Art.33.4). It is unclear how this obligation would work in practice, for example whether only notification rather than agreement of the concerned persons was required, what would be the required timeframe, etc. The provision is vague and would lead to uncertainty. There are already sufficient safeguards in the draft Regulation, such as an obligation to consult a regulator (or a DPO) if there are high risks involved in the processing (Art.34). We therefore propose to delete Article The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations. [The deletion of point 4 has been proposed by the Parliament we support this deletion.] We also think that requiring data controllers to perform a data protection compliance review (Art. 32a) and to review the PIA every two years (Art.33a) will be extremely burdensome, especially for the SMEs. We think that the here are already sufficient safeguards in the draft Regulation, as above. We therefore propose to delete Article 32a and 33a. 4

5 In addition we support that SMEs are exempt from certain compliance obligations, such as record keeping obligations (Art. 28) as long as the processing does not involve high risks for individuals. For many small shops whose core activities do not involve the processing of personal data the prescriptive record keeping duties would add additional burdens and costs. We support a risk-based approach. This means that there should be varying levels of obligation based on the risk of the data processing undertaken by a particular business. We therefore support revising Article 28 as follows: 4. The obligations referred to in paragraphs 1 and 2a shall not apply to: (b) an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage [The text in 4b has been revised by the Council we support Council s proposal.] Encouraging Corporate Responsibility We believe that the best data protection standards are set within the companies that build their robust privacy culture. We therefore support the idea that the Regulation encourages companies to do so even more by offering incentives and regulatory reliefs. In particular, the following measures were a big step forward in improving the overall level of data protection amongst our members: Appointing an independent and qualified DPO Implementing a code of conduct Undergoing external audits / certification We support the approach of promoting these measures by law. The following are particularly suited as possible incentives: Facilitating intra-group data transfers for internal or administrative purposes Providing regulatory reliefs for companies that have adopted codes of conduct Considering mitigating factors when imposing sanctions Doing away with registration and reporting requirements We remain fully at your disposal for any further information we can give you on this topic. 5

6 Comparative chart of the draft General Data Protection Regulation with the retail and wholesale sector recommendations Article number Commission s proposal EP s position Council s position Retail/wholesale recommendations 6 (a) the data subject has given consent to the processing of their personal data for one or more specific purposes; (a) the data subject has given (explicit) consent to the processing of their personal data for one or more specific purposes; 1. (a) the data subject has given unambiguous consent to the processing of their personal data for one or more specific purposes; 1. (a) the data subject has given unambiguous consent to the processing of their personal data for one or more specific purposes; 18 2aa. The right referred to in paragraph 2 shall not apply if disclosing personal data would infringe intellectual property rights in relation to the processing of those personal data. 22 3a. The controller shall have the right to transmit personal data inside the Union within the group of undertakings the controller is part of, where such processing is necessary for legitimate internal administrative purposes between connected business areas of the group of undertakings and an adequate level of data protection as well as the interests of the data subjects are safeguarded by internal data protection provisions or equivalent codes of conduct as referred to in Article 38. 2aa. The right referred to in paragraph 2 shall not apply, if disclosing personal data would infringe intellectual property rights or reveal trade secrets in relation to the processing of those personal data. 3a. The controller that appointed a data protection officer shall have the right to transmit personal data inside the EU within the group of undertakings the controller is part of, where such processing is necessary for legitimate internal administrative purposes between connected business areas of the group of undertakings and an adequate level of data protection as well as the interests of the data subjects are safeguarded by internal data protection provisions or equivalent codes of conduct as referred to in Article 38.

7 28 4. b) an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities. 32a Deleted 4 (b) an enterprise or an organisation employing fewer than 250 persons that is unless the processing personal data only as an activity ancillary to its main activities it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage Respect to Risk 1. The controller, or where applicable the processor, shall carry out a risk analysis of the potential impact of the intended data processing on the rights and freedoms of the data subjects, assessing whether its processing operations are likely to present specific risks 2. The following processing operations are likely to present specific risks: (a) processing of personal data relating to more than 5000 data subjects during any consecutive 12- month period; (b) processing of special categories of personal data as referred to in Article 9(1), location data or data on children or employees in large scale filing systems; (c) profiling on which measures are based that produce legal effects concerning the individual or 4 (b) an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage. Deleted 7

8 similarly significantly affect the individual; (d) processing of personal data for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale; (e) automated monitoring of publicly accessible areas on a large scale; (f) other processing operations for which the consultation of the data protection officer or supervisory authority is required pursuant to point (b) of Article 34(2); (g) where a personal data breach would likely adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject; (h) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects; (i) where personal data are made accessible to a number of persons which cannot reasonably be expected to be limited. 3. According to the result of the risk analysis: (a) where any of the processing operations referred to in points (a) or (b) of paragraph 2 exist, controllers not established in the 8

9 33 4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of Union shall designate a representative in the Union in line with the requirements and exemptions laid down in Article 25; (b) where any of the processing operations referred to in points (a), (b) or (h)of paragraph 2 exist, the controller shall designate a data protection officer in line with the requirements and exemptions laid down in Article 35; (c) where any of the processing operations referred to in points (a), (b), (c), (d), (e), (f), (g) or (h) of paragraph 2 exist, the controller or the processor acting on the controller's behalf shall carry out a data protection impact assessment pursuant to Article 33; (d) where processing operations referred to in point (f) of paragraph 2 exist, the controller shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority pursuant to Article The risk analysis shall be reviewed at the latest after one year, or immediately, if the nature, the scope or the purposes of the data processing operations change significantly. Where pursuant to point (c) of paragraph 3 the controller is not obliged to carry out a data protection impact assessment, the risk analysis shall be documented. Deleted 4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of Deleted 9

10 33a the processing operations. Data protection compliance review 1. At the latest two years after the carrying out of an impact assessment pursuant to Article 33(1), the controller or the processor acting on the controller's behalf shall carry out a compliance review. This compliance review shall demonstrate that the processing of personal data is performed in compliance with the data protection impact assessment. 2. The compliance review shall be carried out periodically at least once every two years, or immediately when there is a change in the specific risks presented by the processing operations. 3. Where the compliance review results show compliance inconsistencies, the compliance review shall include recommendations on how to achieve full compliance. 4. The compliance review and its recommendations shall be documented. The controller and the processor and, if any, the controller's representative shall make the compliance review available, on request, to the supervisory authority. 5. If the controller or the processor has designated a data protection officer, he or she shall be involved in the compliance review proceeding. the processing operations. Deleted The controller or processor acting on the controller's behalf 2. The controller or processor acting on the controller's behalf 2. The controller or processor acting on the controller's behalf 2. The controller or processor acting on the controller's behalf 10

11 shall consult the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: shall consult the supervisory authority prior to the processing of personal data where a data protection impact assessment as provided for in Article 33 indicates that the in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the would result in a high risks involved for the data subjects where: in the absence of measures to be taken by the controller to mitigate the risk. shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body; or 1. The controller and the processor shall designate a data protection officer in any case where : (a) the processing is carried out by a public authority or body; or 1. The controller and or the processor may, or where required by Union or Member State law shall designate a data protection officer in any case where:. 1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body (b) the processing is carried out by an enterprise employing 250 persons or more; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. (b) the processing is carried out by an enterprise employing 250 persons or more a legal person and relates to more than 5000 data subjects in any consecutive 12-month period; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects; or (d) the core activities of the controller or the processor consist of processing special categories of data pursuant to Article 9(1), location data or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purpose, the number of the individuals concerned or individuals processing personal data imply regular and systematic monitoring of data subjects or high level of risk. 11

12 data on children or employees in large scale filing systems (a) (NEW). The obligation referred to in paragraph 1 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage. 12