Prominent European government officials provided up-to-the-minute perspectives on the proposed European data privacy regulation at this week’s IAPP Europe Data Protection Congress in Brussels. The officials’ comments — summarized below –indicate how the proposal might evolve for the next steps in the policy process, which include the issuance of the European Parliament’s formal report on the proposal.
Albrecht: Regulation should encourage companies to de-identify data
MEP Jan Philipp Albrecht revealed key modifications that the European Parliament (EP) will likely propose to the draft European data protection regulation. Rapporteur for the EP’s Civil Liberties Committee, Albrecht said that the regulation should encourage companies to encode data so as to hide identifying information. Albrecht stressed that this technique, known as “pseudonymization,” would not mean that data are no longer considered personal. But the regulation should recognize that encoded data are less vulnerable than unencoded data, and should encourage companies to pseudonymize data whenever possible. “The regulation will include a new category. It will remain personal data, but there should be incentives to pseudonymize data,” commented Albrecht.
Isabelle Falque-Pierrotin promotes leniency programs
Citing competition law enforcement practices, CNIL Chairwoman Isabelle Falque-Pierrotin said the EU regulation should have a leniency principle so that Data Protection Authority (DPA) sanctions will take account of a company’s efforts to implement accountability. “There should be a link between accountability and sanctions,” commented Falque-Pierrotin.
Documentation and right of access: “two sides of the same coin”
Falque-Pierrotin and Albrecht agreed that the new accountability measures should not be viewed as a trade-off for lower respect of underlying data protection principles. According to Albrecht, “the data subject’s right to access and the data controller’s obligation to document processing are two sides of the same coin. If you eliminate the documentation obligation, you might as well eliminate the right of access.”
Kohnstamm wants no compromise on consent.
“Privacy is a fundamental right in Europe. That has to be the starting point of any discussion,” said Jacob Kohnstamm, Chair of the Dutch DPA and of the Article 29 Working Party. Commenting on lobbying efforts to insert the concept of implicit consent in the regulation, Kohnstamm said consent cannot be anything but explicit. MEP Jan Albrecht reinforced Kohnstamm’s hard line view on consent: “The basic principle of data protection in the private sector is consent. Legitimate interest, and other bases for processing, should be the exception. Consent is the core. The aim is that data subjects be fully informed and then choose. Afterwards, data subjects then can run naked through the Internet if they want. But information and consent has to be the starting point.” Kohnstamm also previewed an upcoming (by end of year) Article 29 submission on the topic of profiling. He described the draft regulation’s treatment of profiling as “not satisfying,” and in need of additional definition and specifics.
Despite indications of upcoming changes in the proposed regulation, in key respects all of the speakers’ remarks – as well as considerable informal hallway discussions amongst delegates — confirmed that the essential, and most controversial, elements of the proposal can be expected to remain the subject of further discussion and debate in the next round of deliberations.
European and US-based members of the Hogan Lovells Privacy & Information Management practice attended the IAPP Europe Congress, with partners Winston Maxwell and Harriet Pearson speaking during sessions on cloud computing and “Big Data.”