The Austrian MEP Josef Weidenholzer has thankfully published the compromises that will be up for vote at tomorrow’s meeting of the EP committee on Civil Liberties, Justice and Home Affairs (LIBE).
Comp Art. 1 – 91, v. 7.-9.10.2013
Weidenholzer is convinced the compromises will strenghten the rights of European „data subjects“. He has also published extensive comments on the suggested amendments and argues that „all data are worth protecting„.
Introduction of Special Data Categories
In the small print, there are, however, unwanted side effects: In Article 9, the LIBE committee is to propose a broadening of the defintion of „special categories of data“ that deserve enhanced protection:
„The processing of personal data, revealing race or ethnic origin, political opinions, religion or philosophical beliefs, sexual orientation or gender identity, trade-union membership and activities, and the processing of genetic or biometric data or data concerning health or sex life, or administrative sanctions, judgments, criminal or suspected offences, convictions, or related security measures shall be prohibited.“
(Comp Art. 1 – 91, v. 7.-9.10.2013, p. 16)
While it is, at least, debatable, if the fact that a person is male or female („gender identity“) actually constitutes „sensitive information“, extra protection undoubtedly makes sense as far as „sexual orientation“ is concerned as discrimination against members of the GBLT community is still widespread in many European countries.
With High Risk Consequences
The consequences of the „special“ protection are, however, bizarre:
- Example A: The GBLT interest group that will need to go through a „data protection impact assessment“ and to designate a data protection officer
A German GBLT interest group keeps a record of its members. As information on the sexual orientation of the members can be inferred from the record, the record is to be regarded as „high risk“ according to the newly suggested Art. 32 a:
„2. The following processing operations are likely to present specific risks:
(b) processing of special categories of personal data as referred to in Article 9(1), location data or data on children or employees in large scale filing systems“
As a „high risk“ enterprise, the GBLT group will have to produce a „data protection impact assessment“ pursuant to Art. 32a (3) (c) and Art. 33 of the proposed regulation.
As if this was not enough: Even if the group has only a handful of members, it will need to designate a data protection officer. According to the newly suggested Art. 35 (1) (d), a data protection officer is to be mandatory when
„the core activities of the controller or the processor consist of processing special categories of data pursuant to Article 9(1), location data or data on children or employees in large scale filing systems“.
- Example B: The American GBLT online book shop that will need a EU representative
A US company specializes on GBLT customers and offer books and services relating to GBLT interests. The company has a website that is clearly addressed to US customers. European customers are rare and exceptional.
As the company has GBLT customers, it necessarily processes „special categories of data“ and will need to designate a representative in the EU. An exception from this obligation would, according to the amended Art. 25 (2) (d), only apply to
„a controller
offeringonly occasionally offeringgoods or services to data subjectsresidingin the Union, unless the processing of personal data concerns special categories of personal data as referred to in Article 9(1), location data or data on children or employees in large-scale filing systems„
Why? Intentions and Winners …
One may argue that such extra burdens for companies and interest groups catering for a GBLT audience are not intended by the suggested rules. This would, however, be clearly open to interpretation. And should it really be (mainly) privacy consultants and lawyers that are on the winning side of new European legislation?
.