Unwanted side effects of the EU data protection reform: extra burdens for GBLT interest groups?

avatar  Niko Härting

The Austrian MEP Josef Weidenholzer has thankfully published the compromises that will be up for vote at tomorrow’s meeting of the EP committee on Civil Liberties, Justice and Home Affairs (LIBE).

Comp Art. 1 – 91, v. 7.-9.10.2013

EU-Parlament, Committe on Civil Liberties, Justice and Home Affairs, Agenda and Documents for Meeting on 21.10.2013

Weidenholzer is convinced the compromises will strenghten the rights of European „data subjects“. He has also published extensive comments on the suggested amendments and argues that „all data are worth protecting„.

Introduction of Special Data Categories

In the small print, there are, however, unwanted side effects: In Article 9, the LIBE committee is to propose a broadening of the defintion of „special categories of data“ that deserve enhanced protection:

„The processing of personal data, revealing race or ethnic origin, political opinions, religion or philosophical beliefs, sexual orientation or gender identity, trade-union membership and activities, and the processing of genetic or biometric data or data concerning health or sex life, or administrative sanctions, judgments, criminal or suspected offences, convictions, or related security measures shall be prohibited.“
(Comp Art. 1 – 91, v. 7.-9.10.2013, p. 16)

While it is, at least, debatable, if the fact that a person is male or female („gender identity“) actually constitutes „sensitive information“, extra protection undoubtedly makes sense as far as „sexual orientation“ is concerned as discrimination against members of the GBLT community is still widespread in many European countries.

With High Risk Consequences

The consequences of the „special“ protection are, however, bizarre:

  • Example A: The GBLT interest group that will need to go through a „data protection impact assessment“ and to designate a data protection officer

A German GBLT interest group keeps a record of its members. As information on the sexual orientation of the members can be inferred from the record, the record is to be regarded as „high risk“ according to the newly suggested Art. 32 a:

„2. The following processing operations are likely to present specific risks:
(b) processing of special categories of personal data as referred to in Article 9(1), location data or data on children or employees in large scale filing systems“

As a „high risk“ enterprise, the GBLT group will have to produce a „data protection impact assessment“ pursuant to Art. 32a (3) (c) and Art. 33 of the proposed regulation.

As if this was not enough: Even if the group has only a handful of members, it will need to designate a data protection officer. According to the newly suggested Art. 35 (1) (d), a data protection officer is to be mandatory when

„the core activities of the controller or the processor consist of processing special categories of data pursuant to Article 9(1), location data or data on children or employees in large scale filing systems“.

  • Example B: The American GBLT online book shop that will need a EU representative

A US company specializes on GBLT customers and offer books and services relating to GBLT interests. The company has a website that is clearly addressed to US customers. European customers are rare and exceptional.

As the company has GBLT customers, it necessarily processes „special categories of data“ and will need to designate a representative in the EU. An exception from this obligation would, according to the amended Art. 25 (2) (d), only apply to

„a controlleroffering only occasionally offeringgoods or services to data subjects residing in the Union, unless the processing of personal data concerns special categories of personal data as referred to in Article 9(1), location data or data on children or employees in large-scale filing systems

Why?  Intentions and Winners …

One may argue that such extra burdens for companies and interest groups catering for a GBLT audience are not intended by the suggested rules. This would, however, be clearly open to interpretation. And should it really be (mainly) privacy consultants and lawyers that are on the winning side of new European legislation?



Mehr zum Autor: RA Prof. Niko Härting ist namensgebender Partner von HÄRTING Rechtsanwälte, Berlin. Er ist Mitglied der Schriftleitung Computer und Recht (CR) und ständiger Mitarbeiter vom IT-Rechtsberater (ITRB) und vom IP-Rechtsberater (IPRB). Er hat das Standardwerk zum Internetrecht, 6. Aufl. 2017, verfasst und betreut den Webdesign-Vertrag in Redeker (Hrsg.), Handbuch der IT-Verträge (Loseblatt). Zuletzt erschienen: "Datenschutz-Grundverordnung".

Schreiben Sie einen Kommentar

Sie müssen sich einloggen um einen Kommentar schreiben zu können.