Second, Gerrit Hornung of the University of Passau takes the word. He considers the proposals a valuable improvement on the existing legislation, but nevertheless has a number of criticisms, focusing on the new rights of citizens. First of all, his criticism focuses on the provision on profiling (Article 20 of the draft regulation). This only limit the possibility for measure base on profiling, while profiling itself should also be regulate.
Another point of attention concerns the use of so-called quality marks to indicate a high level of data protection. Hornung values democratic establishment of procedures and powers when using and enforcing such a “data protection seal”. He cites an example in which the German parliament was unable to reach agreement on the further elaboration of a ‘data protection label’. This leads Hornung to believe that this should not be left to the Commission through delegate power.
Also read: right to be forgotten
Hornung goes on to describe the consistency mechanism for regulatory enforcement (Chapter VII, Section 2 of the draft regulation), in which national supervisor are fully independent as they should be, but the European Commission has give itself the last word at European level as highly inconsistent and state that it should be amend. According to Hornung, the right to data portability is a step forward, but will only have the desired effect if digital service providers work together better (interoperability).
Hornung is hesitant about the right to be forgot and point to the problematic relationship between a European ‘right to be forgot’ and national provision on freedom of expression and freedom of the press, for which the new proposal do not offer a solution. Furthermore, Hornung mentions the importance of a legal basis for the processing of data, and he argues that any exceptions to this should already be include in the regulation, rather than deciding later whether a legal basis is necessary or not for certain data.
Hornung also emphasizes the lack of clarity of provisions regarding the processing of data for public authorities, for example if this is necessary for the performance of a “task in the public interest” or a “task forming part of the exercise of public authority”. In this context, he points to the current discussion in Germany about national key registers.
For example, access by private parties to these databases. Finally, like several speakers, he emphasized that the wide delegation of powers to the European Commission, which does not only concern non-essential elements of the proposals as prescribed by the Treaty, cannot be justified.
Also read: right to be forgotten gdpr
After this critical reflection, Jean Genie , director of privacy at Microsoft Europe, is give the floor. He argues that everyone is looking for trust and confidentiality, especially in view of current and future developments. With regard to the new regulations, Microsoft first of all needs a clear set of basic principles. Microsoft, like many other companies, is a proponent of maximum harmonization. An important part of this is the principle of the one-stop shop.
Furthermore, companies are often both processors ( processor ) and controllers ( controller .) and this is reason for Microsoft to ask for a better definition of this. Genie then raises the alarm with regard to the propose fine for negligence (Article 79 of the draft regulation), because there is no intent involve and it is unclear what exactly ‘negligence’ mean.
Point of Attention
He comments on the delegated acts on fines, as companies need predictability and clarity about what they can and cannot do. An important point of attention for Microsoft is that in addition to fine, good behavior must also be reward.
For example by means of certificate and strong code of conduct. Citizen’ right are good, but company should also have right and be encourage to behave well, says Genie. Finally, Genie mentions the subject of transparency. This is very important to generate trust. It cannot be impose, but it can be encourage. There is a need for further elaboration of this in the regulations.
Also read: Right to be Forgotten Meaning