EUROPEAN DATA PROTECTION SUPERVISOR Opinion of the European Data Protection Supervisor on the Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions — ‘A comprehensive approach on personal data protection in the European Union’.
The EDPS fully supports the comprehensive approach to data protection. However, he regrets that the Communication excludes certain areas, such as the data processing by EU institutions and bodies, from the general legal instrument. If the Commission were to decide to leave out these areas, the EDPS urges the Commission to adopt a proposal for the EU level within the shortest possible timeframe, but preferably by the end of 2011.
The EDPS welcomes the Commission's Communication in general, as he is convinced that the review of the present legal framework for data protection is necessary, in order to ensure effective protection in an increasingly developing and globalised information society. He shares the view of the Commission that a strong system of data protection will still be needed in the future, based on the notion that existing general principles of data protection are still valid in a society which undergoes fundamental changes.
In the perspective of a new framework for data protection, the EDPS calls for a more ambitious approach on a number of points:
(1) Harmonisation and simplification: the EDPS determines areas where further and better harmonisation is urgent: definitions, grounds for data processing, data subjects’ rights, international transfers and data protection authorities. The EDPS suggests considering the following alternatives to simplify and/or reduce the scope of the notification requirements:
- limit the obligation to notify to specific kinds of processing operations entailing specific risks;
- a simple registration obligation requiring data controllers to register (as opposed to extensive registration of all data processing operations);
- the introduction of a standard pan-European notification form.
According to the EDPS, a Regulation, a single instrument which is directly applicable in the Member States, is themost effective means to protect the fundamental right to data protection and to achieve further convergence in the internal market.
(2) Strengthening the rights of individuals: although supporting the Communication where it proposes strengthening individuals’ rights, the EDPS makes the following suggestions:
- a principle of transparency could be included in the law. However, it is more important to reinforce the existing provisions dealing with transparency;
- a provision on personal data breach notification, which extends the obligation included in the revised ePrivacy Directive from certain providers to all data controllers, should be introduced in the general instrument;
- the limits of consent should be clarified. Broadening the cases where express consent is required should be considered as well as adopting additional rules for the online environment;
- additional rights should be introduced such as data portability and the right to be forgotten, especially for information society services on the internet;
- children's interests should be better protected with a number of additional provisions, specifically addressed to the collection and further processing of children's data;
- collective redress mechanisms for breach of data protection rules should be introduced in the EU legislation, in order to empower qualified entities to bring actions on behalf of groups of individuals.
(3) Strengthening the obligations of organisations/controllers: the new framework must contain incentives for data controllers to pro-actively include data protection measures in their business processes. The EDPS proposes the introduction of general provisions on accountability and ‘privacy by design’. A provision on privacy certification schemes should also be introduced.
(4) Globalisation and applicable law: a new legal instrument must clarify the criteria determining applicable law. It should be ensured that data that are processed outside the borders of the EU do not escape EU jurisdiction where there is a justified claim for applying EU law. The EDPS fully supports the objective to ensure a more uniform and coherent approach vis-à-vis third countries and international organisations. Binding Corporate Rules (BCRs) should be included in the legal instrument.
(5) The area of police and justice: a comprehensive instrument including police and justice may allow for special rules which duly take account of the specificities of this sector, in line with Declaration 21 attached to the Lisbon Treaty. Specific safeguards need to be put in place, in order to compensate data subjects by giving them additional protection in an area where the processing of personal data is by nature more intrusive.
(6) Data Protection Authorities (DPAs) and the cooperation between DPAs: the EDPS fully supports the objective of the Commission to address the issue of the status of data protection authorities (DPAs), and to strengthen their independence, resources and enforcement powers.
The EDPS suggests reinforcing the advisory role of the Working Party (Article 29) by introducing an obligation for DPAs and the Commission to take the utmost account of opinions and common positions adopted by the Working Party. It urges the Commission to take a position as soon as possible on the issue of supervision of EU bodies and large scale information systems, taking into consideration that all supervisory bodies should fulfil the indispensable criteria of independence, sufficient resources and enforcement powers and that it should be ensured that the EU perspective is well represented. The EDPS supports the model of ‘coordinated supervision’.
The EDPS suggests the following improvements under the present system:
- continue monitoring Member States’ compliance with Directive 95/46/EC and, where necessary, using its enforcement powers under Article 258 TFEU;
- encourage enforcement at the national level and the coordination of enforcement;
- build data protection principles pro-actively into new regulations which may have an impact, directly or indirectly, on data protection;
- actively pursue further cooperation between the various actors at international level.