On Tuesday, May 29, LIBE rapporteur Jan Philipp Albrecht, MEP of the Greens/EFA group, hosted a debate on the proposed Data Protection Regulation (downloadable here). Stakeholders from business to civil society and representatives of the EU institutions gathered in the vast Brussels plenary chamber of the EP to exchange their views and concerns on the future of data protection in the EU. The three panels treated in turn the scope and principles of the proposal, the data subject rights and the roles of Data Protection Authorities (DPAs) and Data Controllers. This report highlights some of the many issues brought forward by panelists and attending stakeholders alike.

Data Protection as a Fundamental Right

The first panel, consisting of Peter Hustinx, European Data Protection Supervisor, Peter Drunkenmöller, representative of the loyalty card system Payback and Joe McNamee of European Digital Rights organization EDRi, showed remarkable agreement that a regulation is indeed the best tool for addressing data protection on a European level. While Drunkenmöller emphasized the positive impact of a harmonized EU data protection regime for the expansion of businesses, McNamee welcomed the improvement of data protection implementation through the regulation. As he pointed out, data protection's inclusion in the Charter of Fundamental Rights constitutes a binding promise of the EU to its citizens to not just pay lip service to this right, but to effectively implement it in all member states.

Repeated attempts from business representatives in the audience to frame data protection as a consumer right rather than a fundamental right (as a Privacy International attendee correctly pointed out, consumer rights are fundamental rights) and to argue that fundamental rights were only supposed to protect the individual from the state and not require the state to regulate business were rightly shot down by the panel. Hastings pointed towards horizontal relations in fundamental rights, i.e. the obligation of the state to actively guarantee those rights.

Strengthening the Implementation of Data Protection

In order to further improve the implementation of the right to data protection, EDRi identified potential loopholes in the draft: The exemption of law enforcement from the scope of the regulation, which could be interpreted as including private security contractors, would give foreign governments the opportunity to access EU citizens' data through private companies. As McNamee pointed out, no foreign government should be able to circumvent EU law.

Another point of criticism was the vague nature of the legitimate interest clause that allows companies to process data without explicit consent. One national high court had ruled that even an ISP's snooping for copyright infringements by its customers was a legitimate interest. McNamee suggested to strengthen the clause to make sure that the need for consent to data processing could not be overridden by an ISP's contract with a customer.

Effects of the Data Protection Regulation on Media

Several media associations weighed in on the debate with differing concerns regarding the draft. A representative of the European Newspaper Association criticised that the exemption for journalists from parts of the data protection regime was left to the member states to implement. She suggested that the aim of balancing data protection with freedom of expression would be better served by making the exemption directly legally binding within the regulation.

A member of the Newspaper Publishers Association pointed towards the importance of the legitimate interest clause for newspapers' business models, defending the practice of sending addressed letters to households without consent, in order to acquire new customers. Hastings assured that the inclusion of a legitimate interest clause in the regulation was necessary due to a ruling of the European Court of Justice, but strong safeguards like the right to objection were necessary to protect citizens' rights.

Right to be Forgotten

The second panel on data subject rights featured some criticism of the newly introduced right to be forgotten. Marisa Jimenez of Google argued that in the digital environment, an individual user is not always just the data subject, but also often the data processor. Google proposed not to enforce the right to be forgotten against individuals, introducing a household exception to the text. In a similar vein, Nuria Rodriguez of the European Consumers' Organization (BEUC) argued that while the concept was to be welcomed in principle, the enforcement against individuals could collide with their freedom of expression, or could be grounds for companies to filter content. Leila Schilthuis, formerly associated with the International Centre for Missing and Exploited Children (ICMEC), warned that the enforcement of the right to be forgotten against individuals (e.g. teenagers sharing group photos) would be very difficult. In her opinion, the regulation should focus on effectively enforceable provisions in order not to mislead individuals, and to support awareness programs for children and their parents when dealing with personal data on the internet. To further protect minors from being targeted by online marketing, the regulation should include safeguards against the use of meta-data produced by minors.

Transparency

Rodrigez of BEUC drew attention to the importance of transparency to individuals in matters of data protection. She welcomed that the regulation asks for easily understandable information on the processing of data, but wanted to extend the principle of transparency and readability by making standard forms for privacy policies a requirement. The information a data controller has to provide to a data subject should also be extended to include the type of personal data collected.

Strengthening Data Protection Authorities

The last panel mainly focused on the role of Data Protection Authorities. Laetita Kroener of the Article 29 working party asked that the role of the European Data Protection Authority be strengthened vis-à-vis the Commission. Philip Schütz, a researcher at the Fraunhofer Institute for Systems and Innovation who is working on the comparative analysis of DPAs, identified two major factors in the efficiency of DPAs: independence and funding. As data protection must be followed by private companies as well as government institutions, DPAs, that are closer to government than to industry, must be organisationally and financially independent of the institutions they may be scrutinising.

As DPAs have to fulfill a wide variety of obligations, from complaint handling to education and advice, they require adequate resources, as outlined in the regulation. Schütz criticised that the term "adequate resources" may be open to interpretation by member states. Along with Kroener, he cautioned for stronger independence of the DPAs from the Commission.

A large number of diverse interests were voiced during the well-attended workshop, covering all of which would certainly exceed the reader's attention. Further information can be gathered from the opinions on the data protection reform issued by various parties.