EDPS Opinion on the data protection reform package
On 25 January 2012, the Commission adopted a package for reforming the EU rules on data protection, which included:
· this proposal for a Regulation containing the general rules on data protection and
· a proposal for a Directive on data protection in the law enforcement sector.
The Regulation: the EDPS welcomes the proposed Regulation, as it constitutes a huge step forward for data protection in Europe. The proposed rules will strengthen the rights of individuals and make controllers more accountable for how they handle personal data. Furthermore, the role and powers of national supervisory authorities (alone and together) are effectively reinforced.
The EDPS is particularly pleased to see that the instrument of a regulation is proposed for the general rules on data protection. The proposed Regulation would be directly applicable in the Member States and would do away with many complexities and inconsistencies stemming from the different implementing laws of the Member States currently in place.
The Directive: the EDPS is, however, seriously disappointed with the proposed Directive for data protection in the law enforcement area. He regrets that the Commission has chosen to regulate this matter in a self-standing legal instrument which provides for an inadequate level of protection, and which is greatly inferior to the proposed Regulation.
A positive element of the proposed Directive is that it covers domestic processing, and thus has a wider scope than the current Framework Decision. However, this improvement only has added value if the Directive substantially increases the level of data protection in this area, which is not the case.
The main weakness of the package as a whole is that it does not remedy the lack of comprehensiveness of the EU data protection rules. It leaves many EU data protection instruments unaffected such as the data protection rules for the EU institutions and bodies, but also all specific instruments adopted in the area of police and judicial cooperation in criminal matters such as the Prüm Decision and the rules on Europol and Eurojust. Furthermore, the proposed instruments taken together do not fully address factual situations that fall under both policy areas, such as the use of PNR or telecommunication data for law enforcement purposes.
General comments on the proposed Regulation: the EDPS makes the following observations:
(1) One horizontal issue is the relationship between EU and national law. The proposed Regulation goes a long way in creating a single applicable law for data protection in the EU, however there is still more space for coexistence and interaction between EU law and national law than one might assume at first sight. The EDPS takes the view that the legislator should better acknowledge this.
(2) A second issue of general importance arises from the numerous provisions which empower the Commission to adopt delegated or implementing acts. The EDPS welcomes this approach in so far as it contributes to the consistent application of the Regulation, but has reservations about the extent to which essential legal provisions are left to delegated powers. Several of these empowerments should be reconsidered.
(3) On a detailed level, the EDPS points to the main positive elements of the proposed Regulation, which are:
· the clarification of the scope of application of the proposed Regulation;
· the enhanced transparency requirements towards the data subject and the reinforcement of the right to object;
· the general obligation for controllers to ensure and be able to demonstrate compliance with the provisions of the Regulation;
· the reinforcement of the position and role of national supervisory authorities;
· the main lines of the consistency mechanism.
The main negative elements of the proposed Regulation are:
· the new ground for exceptions to the purpose limitation principle;
· the possibilities for restricting basic principles and rights;
· the obligation for controllers to maintain documentation of all processing operations;
· the transfer of data to third countries by way of derogation;
· the role of the Commission in the consistency mechanism;
· the mandatory nature of imposing administrative sanctions.
General comments on the proposed Directive: as regards the Directive, the EDPS takes the view that the proposal, in many aspects, does not meet the requirement of a consistent and high level of data protection. It leaves all existing instruments in the area unaffected, and in many instances there is no justification whatsoever for departing from the provisions of the rules in the proposed Regulation.
The EDPS underlines that whilst the law enforcement area requires some specific rules, every departure from the general data protection rules should be duly justified based on a proper balance between the public interest in law enforcement and citizens’ fundamental rights.
The EDPS is particularly concerned regarding:
· the lack of clarity in the drafting of the principle of purpose limitation;
· the absence of any obligation on competent authorities to be able to demonstrate compliance with the Directive;
· the weak conditions for transfers to third countries;
· the unduly limited powers of supervisory authorities.
The following recommendations on the whole reform process are made:
· announce publicly the time schedule on the second stage of the reform process as soon as possible;
· incorporate the rules for EU institutions and bodies in the proposed Regulation or at least have aligned rules in force when the proposed Regulation applies;
· present as soon as possible a proposal for common rules for the Common Foreign and Security Policy, based on Article 39 TEU.
The EDPS makes a series of detailed recommendations regarding amendments to provisions in both the draft regulation and the draft directive.