Jan Philipp Albrecht is the Rapporteur for the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) for the Data Protection Regulation. Rapporteurs are tasked with reporting on subjects of interest to the committees. These reports are not binding on the committee, and can be ignored by Parliament as a whole; but are nevertheless influential. Albrecht’s report is so long and complex that data protection experts are still analyzing the content, and tend to concentrate on specific areas of interest. There are, however, three areas of particular note: the right to be forgotten, pre-ticked opt-in boxes, and delegated acts from the Commission.
While large American companies such as Facebook and Google have been lobbying hard against the proposed ‘right to be forgotten’, Albrecht seeks to strengthen it. The Regulation proposes “a 'right to be forgotten'...,” but Albrecht proposes, “a 'right to erasure and to be forgotten'...”. The Regulation only required that access to ‘forgotten’ data be restricted; that is, it could still be archived and kept by the holder. Albrecht wants it to be physically erased; something resisted by industry on both technical and commercial grounds.
The Out-Law legal blog picks up on the ‘pre-ticked box’ issue. According to the Regulation, writes Out-Law, “organisations seeking to rely on individuals' consent in order to process their personal data would be required to ensure that that consent was explicit, freely given, specific and informed and obtained through a statement or ‘clear affirmative action’.” But Albrecht wants to go further with the specific exclusion of the use of a pre-ticked box: “The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent.” In other words, Albrecht is seeking to prevent ‘approval by default’ by ensuring that the collection of personal data can only happen with the user’s specific approval and not his failure to object: opt-in, not opt-out, clarified by law.
Internet companies worry it will have a chilling effect on a thriving business, notes Reuters. "We are concerned that some aspects of the report do not support a flourishing European digital single market and the reality of innovation on the internet," Erika Mann, head of EU policy for Facebook, said.
But perhaps the most politically important amendment sought by Albrecht is one that limits the Commission’s ability to limit the Regulation for itself. “I think the most important proposal is the fettering of the European Commission’s powers,” notes the HawkTalk data protection blog. Under Albrecht’s proposals, the European Commission would have to consult with the supervisory privacy body (the European Data Protection Board, currently known as the Article 29 Working Party) over the 'delegated acts' it might wish to introduce.
“The change is to be welcomed because it helps reduce the conflict of interest that is endemic in every data protection regime that has ever existed,” says HawkTalk. That conflict means that there is always a risk that the Commission might subvert the law to suit its own policies. “Such subversion happens in spades. So, for instance, if it is politically convenient to ignore data protection considerations when transferring personal data abroad (e.g. PNR data to the USA) or enter into agreements that are data protection deficient (e.g. the European Data Protection Supervisor has publicised several examples of such agreements), then the Commission does so quite freely. All Data Protection Commissioners can do is shout in public, and then go to the pub and cry into their beer.” Albrecht is seeking to reduce the Commission’s ability to ignore its own regulations whenever it wishes.
Whether this report supports, criticizes or mauls the Data Protection Regulation depends almost entirely on one’s own point of view – and the spin that is put on it. Albrecht concludes, “If these elements can be supported by Parliament, Council and Commission, the new legal framework for data protection will provide an improvement both for individuals and for data controllers, and will be future-proof for the coming years.”