The EU’s data protection regime is currently set out in Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, with which all EU member states must comply.
In January 2012, the European Commission published proposals for reform of EU data protection law. The proposals include a draft Data Protection Regulation that is designed to replace the current Directive.
The Article 29 Working Party – a body set up under the Data Protection Directive to act as an independent advisory body on data protection and privacy issues – has published comments on six specific areas of policy:
Application of the draft Regulation to the public sector. The Working Party acknowledges that processing activities by the public sector for public interest purposes must remain possible under the proposed Regulation. However, it highlights the nature of data protection as a fundamental right guaranteed both by the Treaty of Lisbon and the Charter on Fundamental Rights, which is not dependent on whether the data controller is from the private or the public sector. More importantly, it stresses that given the powerful position of governments in relation to individuals, effective protection is all the more needed. It therefore argues that a distinction between the public and the private sector with regard to data protection would not only be unworkable in practice but would also lead to legal uncertainty.
Pseudonymisation and encryption. The Working Party reiterates its view, taken in several opinions since 2007, that if it is possible to trace or (indirectly) identify an individual by certain data, whether alone or in combination with other data, data protection rules continue to apply. It explains that both pseudonimised and encrypted data would therefore still be considered personal data under the draft Regulation since both merely disguise the individual’s identity but generally allow for re-identification.
Consent. The Working Party stresses again that where a data controller uses consent as a legal ground for the processing of personal data, it must be sufficiently clear and expressed through a statement or affirmative action. It, therefore, cautions against the deletion of the requirement proposed in the draft Regulation that consent must be explicit.
Governance. The Working Party sounds another warning note about the extent to which the extended duties imposed on national data protection authorities (DPAs) and the newly to be constituted European Data Protection Board (EDPB) also imply great changes regarding the (re-) allocation of their scarce resources. It supports a funding model for national DPAs that ensure that all DPAs are sufficiently equipped to perform their tasks. In addition, the Working Party feels DPAs should be enabled to be selective in order to be effective. They should be able to define their own priorities and to start actions, such as investigations, on their own initiative.
International transfers. While the Working Party acknowledges the need for personal data to cross borders, it stresses the importance of adequate protection when personal data is transferred to countries outside the EU. It therefore rejects calls by industry that those transfers should also be possible on the basis of arrangements that are not binding on the parties. It also highlights the need to ensure that once transferred to non-EU entities, personal data is protected from access by foreign public authorities where those disclosures are not authorised under EU law. It advocates the obligatory use of Mutual Legal Assistance Treaties (MLATs) in those cases. When a controller or processor is required to transfer data from the EU to a third country on the basis of a judgement or an administrative decision and there is no MLAT or other international agreement in force between the requesting third country and the EU or the member state(s), the transfer of such data should be prohibited.
Risk-based approach. While the Working Party supports the view that the application of the draft Regulation to data controllers of different sizes should be scalable, it stresses that compliance should never be a box-ticking exercise. It therefore supports a risk-based approach where the extent of the controller’s obligations should be dependent not only on the size of the controller, or on the amount of processing operations it carries out, but also, for example, on the nature of the processing and the categories of the data it processes.
As before, the Working Party largely defends the draft Regulation from criticism that its obligations are too onerous and should be relaxed. In particular its views on the definition of consent and the rules surrounding international data transfers will ring alarm bells in the board rooms of large multi-national companies and providers of online services that rely on the large-scale processing of personal data.