The Article 29 Working Party released on March 29, 2012 its opinion on the European Commission’s proposed new data protection Regulation and Directive (WP191 – Opinion 01/2012 on the data protection reform proposals). The Working Party expresses strong reservations about the proposed Directive on data processing for police and criminal justice matters, criticizing the Commission’s use of two different legal instruments to cover subjects that could be addressed in a single text. The Working Party finds the proposed Directive on police and criminal justice matters “disappointing in its lack of ambition compared to the Regulation”.
Regarding the proposed Regulation, the Working Party suggested improvements:
- The text should further clarify concepts such as the definition of data subject, the definition of personal data (to address discrepancies regarding IP addresses for instance), and the definition of biometric data. The rights of minors should be better defined (through better definition of the role of representatives, etc.) and the right to be forgotten should be accompanied by provisions to permit better enforcement, including against third parties. The text should add an obligation to anonymise or pseudonymise personal data where feasible and proportionate based on the purpose of the processing;
- The Working Party suggested that the provision on data breach notification be changed to exclude “minor data breaches” and to introduce a “two-step approach” whereby only the notification of the breach itself must take place within 24 hours after becoming aware of it and additional information would be provided in second phase after more detailed investigations;
- The text should better define the concept of main establishment and the role of the one-stop shop lead data protection authority (certain terms appear to be conflicting or overlapping, the definition of the roles of the lead data protection authority and that of the other interacting data protection authorities requires further refinement). The Commission should also better clarify the obligations imposed on data controllers in the context of the accountability principle, and better limit the European Commission’s power in adopting “delegated and implementing acts“. The extent of delegated acts draws “serious reservations” from the Working Party;
- The proposal should better adjust the obligations of data controllers based on their effective role rather than on the basis of factors disconnected from data protection considerations (e.g. the proposed thresholds that would trigger the applicability of certain provisions should be related to the “nature and extent of the processing” in a manner that could resemble the threshold proposed by the US Federal Trade Commission, eg. the processing of non-sensitive data of less than 5,000 persons per year);
- Data protection authorities should have discretion in the way they administer sanctions and levy fines in consideration of the actions of the data controller and the seriousness of the breach. DPAs should be equipped with additional financial, human and technical measures due to their increased responsibilities;
- DPAs and the future European Data Protection Board (EDPB) should have a bigger role in shaping policy; they should be independent and have effective power.
The Working Party was not able to reach consensus on the opinion. The DPAs from Belgium and Romania abstained because they object to the Commission’s use of a regulation as the legal instrument; the Czech data protection authority abstained for no reasons given, and the Estonian DPA voted against the opinion because the DPA “sees too many essential disconcerting aspects in the packet (…).”