My personal data, nobody's business but my own:

Summary: BEUC reiterates the urgent need to put consumers back in control over the way their personal data is processed online and hopes an agreement on the General Data Protection Regulation will be reached under the Luxembourg Presidency. However, the urgency to adopt the Regulation must not take its toll on consumers’ fundamental rights. Weak provisions on fundamental data protection principles (e.g. purpose limitation) and/or allowing too much flexibility for commercial entities to process personal data based on their alleged legitimate interests could have devastating effects for consumers’ privacy, especially if coupled with flawed rules on highly sensitive aspects like profiling. In general terms, we believe that the European Parliament’s first reading position provides a good basis for an agreement. We also welcome the proactive stance taken by the European Data Protection Supervisor, who has provided some useful recommendations. In contrast, the Council’s General Approach contains some provisions that would even weaken current protection standards, a clear red line set out in the beginning of this reform. That being said, we urge the Commission, the Parliament and the Council to be ambitious. The objective is to modernise and improve Europe’s data protection regime, not to merely maintain the status quo and certainly not to weaken existing protection. The outcome of these negotiations shall provide consumers with greater transparency and control over how their personal data is collected and used. Otherwise consumers will be left with little option than to systematically give up their privacy in order to access online goods and services. This would be unacceptable. A robust Data Protection Regulation must comprise: A broad and future-proof scope. Every company doing business in Europe or targeting users based in Europe must comply with EU laws, regardless of the company’s nationality or the place where it is established. Any kind of information that would allow to identify an individual or single someone out as an individual shall be considered personal data, including pseudonymous1 data. Solid data protection principles and strict legal grounds for data processing. Principles such as “purpose limitation” and “data minimisation” are at the core of the EU data protection regime and must not be weakened. The amount of personal data processed should be kept to the minimum necessary. Further processing of personal data for purposes incompatible with those that justified the initial processing should not be allowed. An enhanced set of data subjects’ rights. Strong and clear provisions are needed with regard to fundamental issues such as the information that must be provided to data subjects, profiling and the right to object. Restrictions on user rights should be strictly limited and include sufficient guarantees. A comprehensive enforcement scheme, including effective mechanisms for consumer redress. The Regulation must be effectively and uniformly enforced across all of the EU. It is crucial that consumers can easily access effective mechanisms to seek redress and that consumer organisations are allowed to proactively defend the rights of data subjects. [see attached for rest of this important document]