FIfF statement on the General Data Protection Regulation

– PDF version for download –

FIfF supports the draft regulation submitted by the EU Commission on the modernisation of data protection – such an initiative was long overdue! We also advocate a number of amendments proposed by the Rapporteur, in particular the fundamental rights protection clause: “Member States have a positive obligation under the European Convention for the protection of Human Rights and Fundamental Freedoms (ECHR) to ensure that such data flows are appropriately regulated.“

By introducing European standards – despite a still existing need for change – an EU-wide level of data protection will finally be established. We call for further improvement, and demand that the scope of the regulation must not be restricted due to economic interests.

1 For further clarification of the consent

FIfF clearly welcomes the clarification of consent, in particular the explicit and unambiguous consent and the right to cancel and to object to processing of personal data.

FIfF demands: As stated in the Rapporteur’s amendment, default options such as pre-ticked boxes, which the data subject is required to modify to object to the processing, do not express free consent. As technical conditions change frequently, we call for limiting the validity of consent to a maximum of four years. At the expiry of consent, the processor or controller is obliged to delete the data immediately. Effective consent of a minor requires the consent of the legal representatives as well as the consent of the informed minor him- or herself. Consent must always be stated to the data processor or controller. The regulation must specify this precisely.

2 For the preference of data subjects to data processors

FIfF welcomes the additional requirements for information of the data subjects by the data processor or controller. The reasons for the primacy of the interests of the data processor or controller must be disclosed.

FIfF demands: The cases in which "legitimate interests" may be assumed should be restricted to the following three: the exercise of fundamental rights, in particular the right to freedom of expression and freedom of the media and the arts, the enforcement of legitimate legal claims – in particular law enforcement – or in commercial relationships between companies, when the data were collected for that purpose with knowledge of the data subject. Use for direct marketing is to be subject to explicitly stated consent of the data subject. The proposed amendment of the rapporteur still provides too many opportunities for data processing without consent.

3 For improved documentation requirements

FIfF welcomes the Rapporteur’s proposals to streamline the documentation requirements, the merging with the information rights of those affected and the requirements for documentation of technical and organizational measures and procedures.

4 For the limitation of profiling and extension of information rights and access to data

The definition of profiling and the narrowed definition of prohibition subject to authorisation will lead to more legal certainty. The expanded requirements of access to data strengthen the informational self-determination of the data subjects.

FIfF demands: Logic and algorithms of profiling measures must be disclosed. Special categories of personal data may not be used for evaluation, unless they fall within the exceptions explicitly mentioned. Evaluations obtained by profiling reviews are never complete, and human judgment may also lead to biases or misinterpretations. Therefore data subjects must have the right to obtain a second opinion on the evaluation. The cost is to be borne by the data processor or controller.

FIfF also demands: A general prohibition on profiling measures that lead to discrimination. This also applies to the combination of single profiling measures.

5 For data protection by design and by default and including protection objectives

FIfF welcomes the commitment to privacy enhancing technology design for processing and collection of personal data. The parties must be able to control their dissemination.

FIfF demands: The extended protection objectives must be included in the regulation: transparency, purpose limitation and intervenability (besides the objectives already confirmed by the rapporteur , i.e. confidentiality, integrity and availability). They have to be implemented in technical and organisational processes as well.

FIfF also demands: For manufacturers, technology policy and data protection by default should be mandatory, ensured e.g. by compulsory certification. This must be supervised by an EU institution and ensured for all processes (systems development processes, data protection processes and business processes). Certifications must be required particularly when special categories of data or data of children will be processed, or if profiles will be created.

6 For adequate safeguards when crossing borders with mobile devices

FIfF welcomes the binding to location principle (orientation at the business location of most service users), binding to purpose, transparency and commitment to the European legislation. We agree with the Rapporteur in rejecting the introduction of manufacturing sectors in third countries. We fully support the Rapporteur’s proposal to exclude third countries or territories with no adequate data protection from the transfer of personal data. We welcome the request for financial compensation in the event of unauthorised processing of data in third countries. FIfF welcomes the obligation to accountability.

FIfF demands: Mobile service providers must have a registered establishment in the country where the majority of contractors reside. In case the majority of these contractors shifts to another member state during the period of two years, the registered establishment should be installed there. Storage locations of the personal data must be made transparent. We demand the right to object if personal data are transferred to service providers outside the EU which are not subject to regulation. An access to transmitted personal data and the right to object to activation and deactivation of active networks of internationally cooperating service providers is required. To protect personal data, mobile devices must be rendered inoperable upon request.

7 For a general commitment to anonymise or pseudonymise

FIfF supports that the concept of anonymous data be specified and the scope of the regulation be expanded to pseudonyms and IP addresses.

FIfF demands: The obligation that personal data be anonymised or at least pseudonymised to an appropriate extent using the highest technical standards. It must be mandatory to anonymise, if the identity is not relevant, and to pseudonymise if the identity is relevant. The protection of pseudonymous data hat to be considered equivalent to the protection of personal data. Providers may not restrict functions for anonymous use and may not pretend that anonymous or pseudonymous use is impossible.

8 On the exception of the police and judiciary to regulation

FIfF shares the criticism of the rapporteur that the law enforcement cooperation in the Commission proposal is not regulated.

FIfF demands: Adequate provisions for cases such as the access of law enforcement agencies to business data have to be included in the regulation in order to achieve uniform regulation within the European Union.

9 For a mandatory impact assessment

FIfF calls for a mandatory impact assessment. It should apply to all profiling measures.

FIfF demands: Depending on the type of data processing, a reasonable assessment also of the longer-term consequences (for the time beyond the actual data processing) on the rights and freedoms of data subjects must be mandatory. The impact assessment should be published as fully as possible and be made available to the affected persons prior to request of consent if it does not contain confidential information about internal operations.

10 For a limitation of delegated acts

FIfF welcomes the replacement of delegated acts by the European Commission by acts by the European Data Protection Board as proposed by the Rapporteur. The originally intended authorisation of the Commission would lead to a large number of detailed rules that are exempt from parliamentary control. This legal uncertainty threatens the effective enforcement of civil rights and poses economic risks. Delegated acts are reasonable if technological progress requires frequent adjustments of the regulation.

FIfF demands: To ensure parliamentary control, delegated acts and decisions of the European Data Protection Board have to be confirmed by the Parliament within six months. A softening of regulations, lack of democracy and legal uncertainty must be avoided, therefore a strict framework for the remaining powers has to be provided. All activities following delegated acts must abide by the accepted and mandatory protection objectives. All processes to develop and use IT systems must be aligned to these objectives.

11 For a stronger independence of supervisory authorities and data protection officers

FIfF welcomes the independence of supervisory authorities, the Rapporteur’s proposal to recital 92 that population and scope of the personal data processed have to be considered, and the clarification of accountability to national parliaments. Additional requirements have to be added to ensure independence.

FIfF demands: The appointment of members of the supervisory authorities should rest exclusively with the parliament as the elected representatives of the citizens. More detailed requirements for financial control must ensure that the supervisors are financially equipped to fulfill their mission effectively. Independence of the data protection officer should be strengthened by at least one year of dismissal protection.

12 The duty to appoint a data protection officer in smaller companies

FIfF welcomes making the appointment of a data protection officer dependent on the number of data subjects affected, and including profiling as well as the processing of special categories of data explicitly in the list of activities requiring the appointment of a data protection officer.

FIfF demands: The appointment of a data protection officer must be mandatory if personal data are collected, processed or used by usually at least 10 people. The number of employees of 250 proposed by the Commission is too high, even though the situation of small and medium enterprises must be considered.

13 Against the right for political parties to survey political attitudes

According to recital 44 political parties may collect data on the political attitudes of citizens in public interest.

FIfF demands: The exception should be deleted. Abuse of these data cannot be excluded with sufficient certainty. The threat of violation of citizens‘ rights is not acceptable.

14 For the control of the employee data protection by member states

FIfF welcomes the possibility to adopt or keep specific laws for detailed regulations in the employment sector.

FIfF demands: The restriction by the European Commission that this should only be allowed within the limits of this regulation shall be dispensed. We support the Rapporteur’s view that the employment sector is a highly complex area regulated in many details at national level, where it can be dealt with best.