这篇文章是由 辛西娅·奥’Donoghue.

2013年1月10日,欧盟议会报告员扬·菲利普·阿尔布雷希特(Jan Philipp 阿尔布雷希特)’公民自由,司法和内政委员会(“LIBE”), presented his draft report (“Report”)向欧盟委员会提出修正案’拟议的数据保护条例 (“Proposed Regulation”).

阿尔布雷希特’对本来已经很复杂且具有规定性的立法草案的修正案受到了政府和行业的不同评价。的 英国最近发表了批评 of the current proposals, while the European 数据Protection Supervisor (EDPS) reacted positively to 阿尔布雷希特’s report, 表示印象深刻 所做的更改,因为它们包括许多EDPS和第29条工作组的建议。

阿尔布雷希特 has recommended significant alterations to the most contentious provisions, such as the definition of personal data, consent, the rights of access, portability and to be forgotten, and the 24-hour breach notification. 阿尔布雷希特 has sought to simplify the legal framework while also strengthening individuals’ rights.

The definition of personal data includes data that would single a person out, either from data held alone or when used in“combination with associated data,”and seeks to clarify uses of pseudonymised data and create a definition for anonymous data that prevents identification of a person, where identification, directly or indirectly, would require a“disproportionate amount of time, expense and effort.”

阿尔布雷希特 believes consent“is the best way for individuals to gain more control over data processing activities,”and his proposed amendments consent to be explicit, freely given, specific-informed, and obtained through"clear affirmative action,"since pre-ticked boxes cannot be seen to express free consent.

The right of access would now include the ability to obtain information about profiling and whether a governmental authority had requested data, as well as whether an organisation had complied with that request. The right of portability would be amended to be part of the right of access, so that copies of data are provided in a format that can be migrated to another service.

In relation to the right to be forgotten, 阿尔布雷希特 includes a provision for erasure if there is no legitimate grounds to retain the data. This aims to ensure that companies that have transferred data to third parties without a legitimate legal basis, do actually erase the data. Vivian Reding, in a speech at the 欧盟司法委员会会议 2013年1月18日在都柏林通过,“雄心勃勃,务实”防止对企业施加不合理义务的必要方法。

Responding to the perceived short time limit of 24 hours for notifying the National Supervisory Body of personal data breaches initially proposed by the European Commission, 阿尔布雷希特 suggests extending the time frame to 72 hours.

阿尔布雷希特还建议制定更繁琐的通知要求,要求数据控制器使用多层方法,包括易于理解的基于图标的不同处理类型的描述。

阿尔布雷希特 also recommends that organisations’ability to rely on legitimate interest basis for processing data be limited to“exceptional circumstances,”where it would be possible for data controller’s interests to override the fundamental rights and freedoms of data subjects.

Other amendments proposed by 阿尔布雷希特 include replacing the criterion for mandatory appointment of a data protection officer (DPO) from being based on having more than 250 employees, to processing the data of 500 individuals or more per year. This means that even small companies and start-ups would incur this expense.

In its 最近的回应 to the UK Justice Select Committee’s opinion on the 数据Protection framework proposals, the UK Ministry of Justice found mandatory appointments of DPOs unnecessary and suggested that data controllers should be encouraged to appoint DPOs“if they were felt necessary to ensure compliance with the proposed Regulation.”Both the UK Ministry of Justice and the UK Justice Select Committee have been highly critical of proposed Regulation, finding it overly prescriptive and likely to increase costs to the UK economy of between£100 million – £360 million per annum; and the UK Government likely would view 阿尔布雷希特’s amendments even more harshly, since the UK would like to see the draft Regulation re-casting as a Directive to allow Member States a degree of flexibility.

目前担任欧盟轮值主席国的爱尔兰政府也对 都柏林司法委员会会议, suggesting that the household exemption (which permits individuals processing data as part of purely personal activity) and the right to be forgotten are unrealistic. While the Irish have previously said that the proposed Regulation is a priority they would like to see passed during their EU term of presidency, the draft Regulation is continuing to prove highly contentious, and any effort to further constrain business is likely to meet with resistance from some Member States as well as industry.