On 23 March, the Article 29 Data Protection Working Party (Working Party) adopted its
opinion
on the data protection reform proposals of the European Commission. The Working Party broadly welcomes the proposals for seeking to reinforce the position of data subjects, enhance the responsibility of controllers and strengthen the position of supervisory authorities both nationally and internationally. In spite of this positive stance, however, the Working Party believes that parts of the proposal for a regulation need clarification and improvement. Regarding the proposed directive in the area of police and justice, the Working Party underlines the need for stronger provisions and expresses disappointment with the commission’s level of ambition in this field.


The Working Party’s comments cover a range of areas including consistency and comprehensiveness; the role of DPAs and EDPB; the role of the European Commission; recommendations regarding particular provisions, and areas where provisions are lacking.


Consistency and comprehensiveness


The Working Party would have preferred a comprehensive reform proposal in one legal instrument rather than a separate directive and regulation. To this end it believes that the substantive provisions of the regulation and directive should be brought closer together and consistency between the texts should be ensured. The Working Party believes that the EU institutions should be bound by the same rules that apply at member state level, meaning that Regulation 45/2001 should be aligned with the proposed regulation. While encouraging consistency and comprehensiveness in the regime, the Working Party emphasizes such efforts should in no way lower current data protection standards. The Working Party regards the broad and unspecified exceptions for public authorities as unjustified and suggests that, as far as possible, the private and public sectors be treated in the same way.


Role of DPAs and EDPB


The Working Party believes that its important role in policy making—until now and in the future as the European Data Protection Board (EDPB)—should be reflected in the proposals. It also suggests that the European Parliament, as well as the commission, be empowered to ask the EDPB for an opinion on any question covering the application of the regulation under Article 66(1)(b). Such request could result in the EDPB issuing guidelines, recommendations or best practices addressed to the supervisory bodies in order to encourage consistent application of the regulation. The Working Party strongly suggests including an obligation that the commission consult the EDPB regarding adequacy decisions (Article 41), standard data protection clauses (Article 42), European codes of conduct (Article 38) and delegated and implementing acts (Articles 86 and 87). It believes DPAs should have the power to carry out audits as well as investigations and to define their own priorities. The Working Party considers that criteria are necessary for determining the lead DPA in a particular case and that cooperation between DPAs, where more than one is concerned, should involve assessments made by consensus.


Role of the European Commission


The Working Party is concerned with the extent to which the commission is empowered to adopt delegated and implementing acts. Because some provisions of the regulation cannot be applied without those acts in place, essential elements should be inserted into the regulation to ensure legal certainty. At the very least, the Working Party calls for a timetable of acts that the commission intends to adopt in the short, medium and long term. The Working Party also has strong reservations regarding the role foreseen for the commission in individual cases which have been dealt with under the consistency mechanism. It believes this role will encroach upon the independent position of DPAs, and that instead, the commission should provide its legal assessment but in principle refrain from interference in the process.


Particular provisions


The Working Party makes suggestions regarding the following provisions:


  • Thresholds designed to alleviate burdens on micro, small and medium enterprises (MSMEs) should be based on the nature and extent of data processing carried out by enterprises rather than the size of the enterprise itself.

  • Further clarification is needed regarding the meaning of “offering goods and services” and “monitoring of their behavior” in Article 3(2), which defines the scope of the regulation as it applies to a controller not established in the union that is processing the personal data of data subjects residing in the union. Offering goods and services should include “services provided without financial costs to the individual.”

  • Recital 24, which defines personal data, is unduly restrictive and should include, for example, IP addresses and cookie IDs.

  • Article 4(11), defining biometric data, should be amended to focus on what types of data are to be considered biometric data instead of defining it as data that allows the unique identification of an individual, which would exclude data used for authentication rather than identification.

  • Article 4(13) and Recital 27 determine the location of the main establishment of a multinational company but require clarification. This could take into account whether one establishment has “dominant influence” over processing operations for data protection rules. These rules are vital for determining the lead DPA in terms of Article 51(2); the DPA of the member state where the controller has its main establishment is deemed the DPA competent for the supervision of processing activities in all member states.

  • The concept of pseudonymisation should be introduced more explicitly.

  • Article 6(4) allows further processing of data to be carried out, even where the purpose of the processing is not the same as that for which it was collected, as long as a legal basis can be found in Article 6(4)(a)-(e). This provision should be deleted or redrafted as it leaves open the possibility of further processing of data for incompatible purposes.

  • Article 25(2)(a) should be deleted. This provision removes the obligation to designate a representative within the European Union for controllers established in a third country where the European Commission has decided that the third country ensures an adequate level of protection. Data protection impact assessments, which are required under Article 33 where processing operations present specific risks to the rights and freedoms of data subjects, should also be required when processing operations are “likely to” present those risks and not just when the risk is clear.

  • Article 73(1) provides that every data subject shall have the right to lodge a complaint with a supervisory body in any member state. This should be amended to allow a complaint to be lodged only in the jurisdiction where a data subject resides or where the controller or processer is located rather than in any member state.


Provisions lacking


The Working Party regrets that the following areas have not been specifically addressed by the regulation or directive:


  • The issue of the collection and transfer of data by private parties or non-law enforcement public authorities that are in fact intended for law enforcement purposes;

  • The manner in which rights can be executed by representation, for example for minors, incapable persons and by lawyers;

  • Third-party compliance with the right to be forgotten;

  • The use of Mutual Legal Assistance Treaties in case of disclosures not authorized by EU or member states law should be obligatory;

  • How to enforce the judgment of a court of one member state;  i.e., where the data subject has habitual residence, when the controller or processer is established in another member state.


Coauthored by Emily Hay
of the Data Privacy Team at Lorenz Brussels.

ADVERTISEMENT

Syrenis ad, a privacy professional's AI checkilist