In a world built around online communication, the modernisation of data protection laws is a pressing need for Europe. Every day our data is processed and stored in an unprecedented scale by both the private and the public sector. Our personal data has become a commodity, which value has surpassed any of our expectations. Public and private databases of sometimes highly sensitive data have cropped up and the data is exchanged within Europe as well as transferred to third countries.
The S&D Group welcomes the Commission proposal on reforming the current data protection framework and specifically welcomes that the instrument of Regulation was adopted. However, we must state our grave disappointment that the law enforcement sector was taken out of the Regulation and a Directive was chosen to cover police and judicial cooperation, as this provides and inferior level of protection to our citizens. We believe that the two instruments create a single package and that a high level of harmonisation of provisions between the two, need to be guaranteed.
The S&D Group is committed to data protection rules that protect fully our citizens' fundamental rights but at the same time encourage further harmonisation in the internal market and allow businesses to innovate, grow and create jobs.
We, the S&D, believe that the new data protection framework should be based on the following principles:
- package applies to processing of personal data of data subjects residing in the Union, regardless of whether the controller is a private or a public body, based in the Union or outside and regardless if the services are paid or free of charge.
- personal data is any information that relates to a data subject
- anonymised data should not be subject to the Regulation. Use of anonymised data should be encouraged and incentivised.
- pseudonymised data is personal data, and the use of pseudonyms should be encouraged, and incentivised. Pseudonymisation should give some leeway from certain documentation etc. obligations.
- transparency, purpose limitation, data minimisation, integrity, accountability, security and storage minimisation have to be respected
- processing is only legal where there is: explicit consent, compliance of a legal obligation, performance of a contract, protecting a vital interest of the data subject, processing is done by a public body for an official duty, and in very limited and specified circumstances for legitimate interest of the controller.
- data revealing race or ethnicity, political opinions, religion or beliefs, trade-union membership, genetic or biometric data, sexual orientation or gender identity or data concerning health or sex life or criminal convictions is to be considered as having special protection and shall not be processed, unless in extremely specified circumstances and with special safeguards.
- the data subject has to have full right to be informed on and access to what data is being processed of them and for what purpose. They shall also have full rights to rectify and/or supplement the data that is incorrect and to obtain the erasure of it. The controller shall take measures to have the data erased from any third parties it has transmitted such data.
- as a part of information policy, a system of clear icons should be used by companies on their websites, to easily show to the data subject what is being done with their data.
- every natural person shall have the right not to be subjected to profiling that would produce legal effects for the person.
- exceptions to the rule have to be specified in law or data subject's consent if that is freely given and can be withdrawn.
- profiling cannot be based on special categories of data.
- profiling cannot be used to single out children.
- there has to be a one-stop-shop for both the citizen and the companies, i.e. a single contact DPA with whom to deal with when needed.
- transfers to third countries should only take place when it can be guaranteed that corresponding data protection norms can be guaranteed in the country of transfer.
- COM adequacy decision, European Data Protection Seal, appropriate safeguards in a legally binding instrument and legally binding corporate rules.
- derogations to the above have to be necessary and proportionate in a democratic society.
- the independent national DPAs have to be guaranteed with proper resources to be able to perform their tasks.
- strong European cooperation between the national DPAs have to be ensured through the work of the EDPB and the cooperation and consistency mechanisms.
- there is a right to judicial remedy against controller or processor and against a DPA, with right to compensation and liability and penalties.
- sanctions have to be individually determined, effective, proportionate and dissuasive.
1. specific set of criteria is identified for processing in
a. the labour market and employment context
i.specifically to safeguard the right to collective agreements
b. the context of health
c. the context of freedom of expression
d. the context of historical, statistical and scientific research
Specifically regarding the Directive, we believe that the aforementioned principles should apply, where appropriate, and all deviations from the general rules have to be duly justified, necessary and proportionate in a democratic society, clearly demarcated and set in law. Such limitations can only be an exception to the general rule and cannot become the rule itself - therefore no blanket exceptions can be accepted.