The Council adopted conclusions on the Commission communication "A comprehensive approach on personal data protection in the European Union". It welcomes the Communication and strongly supports the aim outlined in the Communication according to which appropriate protection must be ensured for individuals in all circumstances.
The Council shares the Commission’s view that the notion of a comprehensive approach to data protection does not necessarily exclude specific rules for data protection for police and judicial cooperation in criminal matters within this comprehensive protection scheme. It encourages the Commission to propose a new legal framework taking due account of the specificities of this area. In this context, certain limitations have to be set regarding the rights of individuals in the specific context in a harmonised and balanced way, when necessary and proportionate and taking into account the legitimate goals pursued by law enforcement authorities in combating crime and maintaining public security.
Privacy: Council invites the Commission to explore the possibility of including a provision on the ‘privacy by design’ principle in the new legal framework and to favour privacy-enhancing technologies (PET). It demands that special attention be given to minors.
The Council expects the special protection of sensitive personal data to remain a core element of the Commission proposal. It invites the Commission to assess the impact of the use of biometric data on individuals. It supports the idea of introducing privacy seals (EU certification schemes) and self-regulatory initiatives.
Applicable law: the Council feels that the new legal framework should clearly regulate the issue of applicable law within the European Union. As regards cases with an extra-EU dimension, the Council encourages the Commission to find legal solutions that provide adequate safeguards to ensure that data subjects can exercise their data protection rights even if their data are processed outside the European Union.
Principle of accountability: the Council considers that the concept of accountability should be explored with a view to diminishing the administrative burden on data controllers, for instance by simplifying or tailoring adequate notification requirements. Data breach notification should not, however, become a routine alert for all sorts of security breaches. It should apply only if the risks stemming from the breach can impact negatively on the individual's privacy.
While recalling that prime responsibility and accountability for the protection of personal data must rest with the data controller (who benefits from the use of such data), there is also a major need to increase the data subject's awareness of the implications of sharing his personal data.
The Council supports the Commission's aim of enhancing the data controller's responsibility and encourages the Commission to include in its impact assessment an evaluation of the possible appointment of Data Protection Officers.
Rights of individuals: the Council encourages the Commission: i) to define more precisely the rights of data subjects (such as access, rectification, deletion/blocking) and ii) to explore the introduction of a right to be forgotten, as an innovative legal instrument, insofar as the exercise of such a right is enabled by new technologies.
The Council is of the opinion that the right of access should, as a rule, be exercised free of charge and that any charge should be without excessive expense.
Data protection authorities: the Council supports a more harmonised role of data protection authorities. This also holds true for the field of police and judicial cooperation in criminal matters. In this context, the coordination between data protection authorities needs to be improved.