The European Parliament's civil liberties committee voted Monday night to allow profiling of "pseudonymous" data, but digital rights groups say that safeguards to protect data are not sufficient.
The committee vote was on the latest amendments to the proposed E.U. Data Protection Regulation, which was put forward by Justice Commissioner Viviane Reding in 2012 and has provoked some of the heaviest lobbying seen in Brussels in years. The text voted on Monday had been through almost 4,000 amendments.
"The combination of Articles 6 and 20 amounts to a badly drafted license to profile without consent," warned EDRi director Joe McNamee.
Article 20 of the draft law states: "Profiling based solely on the processing of pseudonymous data should be presumed not to significantly affect the interests, rights or freedoms of the data subject." Pseudonymous data is defined in the text as "personal data that cannot be attributed to a specific data subject without the use of additional information."
This means that "profiling, using nonidentified but identifiable data is permissible without the consent of the individual, using the 'legitimate interest' exception," McNamee said.
This "legitimate interest" exception appears in Article 6, which reads: "Processing of personal data shall be lawful if processing is necessary for the purposes of the legitimate interests pursued by the controller, and which meet the reasonable expectations of the data subject based on his or her relationship with the controller.""This could turn 'legitimate interest' into the main legal basis for processing," said Jeremie Zimmermann of La Quadrature du Net in a statement.
"A lot of other compromise amendments reached by members of the different political groups are actually good. For instance, those providing that consent must be explicit, that data must be fairly processed or that citizens must keep them under their control; but these good compromise amendments could be almost useless if the compromise amendments made on Article 6 and 20 are adopted," Zimmermann added.
German member of Parliament Jan Phillipp Albrecht accepted that he couldn't keep everyone happy. "When you compromise you can't expect to get 100 percent of what you want," he said. "But I think this text is strengthening citizens' rights compared to what we have today."
The draft law does indeed include some precautions against worst-case scenarios. For instance, additional information that could be used to identify individuals in pseudonymous data must be kept separately from such pseudonymous data. Profiling that has the effect of discriminating against individuals on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, sexual orientation or gender identity is also explicitly banned.
The text of the law will now be negotiated with member states in the European Council after members of the committee gave Albrecht, the politician charged with steering the legislation through, a mandate to continue final negotiations. Once an agreement has been reached between all parties, the text will go before the European Parliament as a whole no later than next April.
John Higgins, director general of DigitalEurope, urged member states not to hurry final negotiations. "There is a real risk that the drafting process will be rushed and important details will not get addressed properly. Rushing through a half-baked law risks throwing away a vital and much-needed opportunity to stimulate economic growth. Put simply, take your time. Get it right."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.