Issue link: https://maltatoday.uberflip.com/i/604914
maltatoday, SUNDAY, 22 NOVEMBER 2015 16 THE data protection reform package consists of two draft laws: a general regulation covering the bulk of personal data processing in the EU and a directive on processing data to prevent, investigate, detect or prosecute criminal offences or enforce criminal penalties. Green MEP Jan Philipp Albrecht (Denmark) is the lead MEP for the draft regulation that is updating the principles set out in a 1995 directive, with the changes in data processing brought about by the internet: such as internet data on social networks, online shopping and e-banking services, and offline databases held by hospitals, schools, businesses and research companies. Parliament, the Council and the Commission are now meet- ing in three-way talks to seek a final agreement on the data protection regulation before the end of 2015. The EP's aim is to reach agreement on both the regulation and the directive before the end of 2015. The wide array of proposals in the regulation truly captures the spectrum of people's lives as they manifest themselves on the internet. Right to be forgotten (Article 17) MEPs say people should have the right to have their personal data erased if data processing does not comply with EU rules; the data are no longer necessary for the purposes for which they were collected; or the person objects or withdraws his/ her consent for the processing of his/her personal data. To enforce this right, a person that asks an internet com- pany to erase their data will make that company forward the request to any others that replicate the data. There will be restrictions, such as if the data is needed for historical, statistical and scientific research purposes, for public health reasons or to exercise the right to freedom of expression. And the right will not apply when the retention of personal data is necessary to fulfil a contract or is required by law. The 'right to be forgotten' as expressed in Article 17 of the Commission's draft of the Regulation is the "right to obtain from the data controller the erasure of personal data relating to them and the ab- stention from further dissemination of such data, especially in relation to personal data which are made available by the data sub- ject while he or she was a child", where one of four grounds applies. What is contentious is the extent to which these data controllers or search engines like Google be burdened with the responsibility for the removal of content. The Commission has pro- posed that they "inform third parties which are processing such data, that a data subject requests them to erase (…) personal data" so that third par- ties such as publishers can have a say when removal requests are submit- ted to search engines in respect of their content. In contrast the EP's amended text goes even further than this, suggesting that the data controller "shall take all reasonable steps to have the data erased, including by third parties". This means that data control- lers will be judge and jury when considering such requests. Explicit consent (Article 7) How many times have we bothered to read the terms and conditions that come with every app we down- load on our mobile phones or every software we install from the Internet? Well, the European Par- liament says that where processing is based on consent, a company should process personal data only after obtaining clear permis- sion from the data subject, and that people should be able to withdraw consent anytime they demand it. Now that means "any freely given, specific, informed and ex- plicit indication of his/her wishes, either by a statement or by a clear affirmative action". MEPs said the execution of a con- tract or the provision of a service cannot be made conditional upon consent to processing personal data that is not strictly needed for the completion of that contract or service. The EP also says that the consent should lose its effect as soon as the processing of personal data is no longer needed for the initial purpose for which it was collected. Profiling (Article 20) Ever felt Google was following your every mouse click? Ever seen adverts appearing on the next website you visit after hav- ing searched for exactly the same thing a few moments ago? It's a strategy that drives advertising revenues for the search engine that usually happens through "profiling", a technique that analyses or predicts a person's performance at work, eco- nomic situation, location, health, preferences, reliability or be- haviour based on the automated processing of their personal data. Under the changes proposed by MEPs, profiling, as a general rule, would only be allowed with the consent of the person concerned, where permitted by law or when needed to pursue a contract. Parliament also makes clear that profiling should not be based solely on automated processing and should comprise human as- sessment, including an explanation of the decision reached after such an assessment. Data portability Under the Commission proposal, any per- son would have the right to ask an email service provider or a social network to pro- vide a copy of all their data in an electronic, commonly used format, to be transferred to another provider or service. MEPs also propose merging the right to data portability with the right to data ac- cess (Article 15) and stress that, for per- sonal information processed by electronic means, the controller should provide a copy of these data "in an electronic and interop- erable format". This would allow users to switch email providers without losing con- tacts or previous emails, for instance. Where technically feasible and at the request of the data subject, the data would be transferred directly from controller to controller (e.g. from email provider to email provider). Inside the EP 16 Inside the EP Europe is very close to the finishing line of an extraordinary project: the adoption of the new General Data Protection Regulation (GDPR), a single, comprehensive replacement for the 28 different laws that implement Europe's existing 1995 Data Protection Directive. Europe's digital rights debate nearing the finishing line... Part 1 of our series on the European Parliament Green MEP Jan Philippe Albrecht Maltese attitudes on data protection How much control do you feel you have over info you provide online, eg, ability to correct, change or delete this information? Authorities and private companies holding info about you may sometimes use it for a diffrent purpose: how concerned are you? How important is it to have the same rights and protections over your personal information regardless of the country in which the company offering you the service is established? Complete control 24% Partial control 50% No control at all 23% Depends on website or app 1% Don't know 2% Total concerned 71% Total not concerned 25% Don't know 4% Total 'important' 93% Total 'not important' 4% Don't know 3% Source: Eurobarometer