OPINION OF THE EUROPEAN DATA PROTECTION SUPERVISOR on the Communication from the Commission to the European Parliament and the Council on the follow-up of the Work Programme for better implementation of the Data Protection Directive.
On 7 March 2007, the aforementioned Communication was sent by the Commission to the EDPS. In accordance with Article 41 of Regulation (EC) No 45/2001, the EDPS presents this opinion.
The Communication reiterates the importance of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data as a milestone in the protection of personal data and discusses the Directive and its implementation. The central conclusion of the Communication is that the Directive should not be amended. The implementation of the Directive should be further improved by means of other policy instruments, most of them with a non binding nature.
The EDPS shares the central conclusion of the Commission that the Directive should not be amended in the short term. The points of departure for the EDPS are as follows: (i) in the short term, energy is best spent on improvements in the implementation of the Directive; (ii) in the longer term, changes of the Directive seem unavoidable; and (iii) a clear date for a review to prepare proposals leading to such changes should already be set now. Such a date would give a clear incentive to start the thinking about future changes already now.
According to the EDPS, the main elements forfuture change include:
- no need for new principles, but a clear need for other administrative arrangements;
- the wide scope of data protection law applicable to all use of personal data should not change;
- data protection law should allow a balanced approach in concrete cases and should also allow data protection authorities to set priorities;
- the system should fully apply to the use of personal data for law enforcement purposes, although appropriate additional measures may be necessary to deal with special problems in this area.
Moreover, the EDPS suggests that the Commission specify: (i) a timeline for the activities of Chapter III of the Communication; (ii) a deadline for a subsequent report on the application of the Directive; (iii) terms of reference to measure the realisation of the activities foreseen; and (iv) indications on the way to proceed in the longer term.
The EDPS regrets that the perspective of global privacy and jurisdiction plays a limited role in the Communication and asks for practical solutions that reconcile the need for protection of the European data subjects with the territorial limitations of the European Union and its Member States, such as: (i) the further development of a Global Framework for data protection; (ii) the further development of the special regime for transfer of data to third countries; (iii) international agreements on jurisdiction or similar agreements with third countries; and (iv) investing in mechanisms for global compliance, such as the use of binding corporate rules by multinational companies. The EDPS invites the Commission to start developing a vision on this perspective, together with most relevant stakeholders.
On law enforcement, the EDPS has the following suggestions to the Commission:
- further reflection on the implications of the involvement of private companies in law enforcement activities;
- preserve the effet utile of Article 13 of the Directive, possibly by proposing legislation aiming at harmonizing the conditions and the safeguards for using the exemptions of Article 13.
Full implementation of the Directive means: (i) that it be ensured that the Member States fully comply with their obligations under European law; and (ii) that other, non binding tools, that could be instrumental to a high and harmonised level of data protection be fully used. The EDPS asks from the Commission to clearly indicate how it will use the different instruments.
In relation to those instruments:
- in certain cases, specific legislative action at EU level may be necessary;
- the Commission is encouraged to pursue a better implementation of the Directive through infringement procedures;
- the Commission is invited to use the instrument of an interpretative communication for the following issues: (i) the concept of personal data; (ii) the definition of the role of data controller or data processor; (iii) the determination of applicable law; (iv) the purpose limitation principle and incompatible use; and (v) legal grounds for processing, especially with regard to unambiguous consent and balance of interests;
- non binding instruments include instruments building on the concept of ‘privacy by design’;
- for longer term also: (i) class actions; (ii) actions initiated by legal persons whose activities are designed to protect the interests of certain categories of persons; (iii) obligations for data controllers to notify security breaches to data subjects; and (iv) provisions facilitating the use of privacy seals or third-party privacy audits in a trans-national setting.
Lastly, the EDPS invites the Commission to present a paper to the Working Party giving clear indications on the division of roles between them.