[GNU/consensus] The problem with "Personal Data"

[hellekin (GNU/consensus)]

LQDN published an article calling for action before the 19th of March
regarding yet another attempt at reducing privacy of Internet users in
the European Union [1].

The article mentions: The “Legal Affairs” (JURI) Committee, led by
Marielle Gallo (France - EPP) – notorious for being one of ACTA's main
proponents – is likely to vote in the same way that the three previous
committees, weakening the protection of EU citizens' privacy contained
in the European Commission's initial proposal. For example, some
amendments tabled on the draft opinion suggest reducing the scope of the
definition of “personal data”, using the outrageous fallacy of
“pseudonymous data” (2), and reducing sanctions against violations of
the Regulation (3).

*

Hence, the definition of "Personal Data" is a pretty serious matter.

The current definition of the EU, according to the 1995 directive on
Data Protection Regulation [4]:

Article 2 - Definitions

(a) 'personal data' shall mean any information relating to an identified
or identifiable natural person ('data subject'); an identifiable person
is one who can be identified, directly or indirectly, in particular by
reference to an identification number or to one or more factors specific
to his physical, physiological, mental, economic, cultural or social
identity;

(b) 'processing of personal data' ('processing') shall mean any
operation or set of operations which is performed upon personal data,
whether or not by automatic means, such as collection, recording,
organization, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, blocking, erasure
or destruction;

*

Amendments 108-109-111 & 140 - Pseudonymous data

Rapporteure Marielle Gallo (EPP), Sajjad Karim (ECR) and Klaus-Heiner
Lehne (EPP) proposed three identical amendments which are the verbatim
copy of an amendment proposed by both the American Chamber of Commerce
(look at page 11) and EuroISPA, the 'world's largest association of
Internet Services Providers' (look at page 2)

Article 4 - Definitions
(3a) 'pseudonymous data' means any personal data that has been
collected, altered or otherwise processed so that it of itself cannot be
attributed to a data subject without the use of additional data which is
subject to separate and distinct technical and organisational controls
to ensure such non attribution;

*

Frank, although we couldn't reach yet a formal agreement on the User
Data Manifesto, I suggest that this event would provide a good moment
for you to trigger the UDM supporters into action.

Moreover, although I hate the word and concept of "urgency", there's
matter to put something out that builds upon sound legal and ethical
grounds before long.

==
hk

[1]
https://www.laquadrature.net/en/data-protection-last-opinion-vote-in-juri-on-19-march

(2) Marielle Gallo (France - EPP), Sajjad Karim (UK - ECR) and
Klaus-Heiner Lehne (Germany - EPP) have proposed three identical
amendments which are the verbatim copies of a measure proposed by both
the American Chamber of Commerce (see page 11) and EuroISPA, the
'world's largest association of Internet Services Providers' (see page
2). These amendments dictate that data which are not directly collected
or processed together with the name of the data subject may be collected
or processed without the data subject's consent, even if these data are
tied to an unique identifier (for behavioural targeting, for instance)
or may afterwards be easily associated with the data subject (see
studies on the matter).

(3) While the proposed Regulation currently dictates that fines may be
imposed to anyone who breaks the Regulation, even for a single and
negligent breach, Amendments 63 to 66 tabled by JURI's members propose
that only repeated and deliberate breaches of the Regulation may lead to
a fine.

[4]
http://www.laquadrature.net/wiki/Data_protection_issues#Definition_of_personal_data

signature.asc
Description: OpenPGP digital signature