Not long after the Article 29 Working Party (WP29) let their feelings be known on the trilogue negotiations about the future of the EU’s proposed General Data Protection Regulation (GDPR), the European Data Protection Supervisor (EDPS), itself a full member of the WP29, has done them one better. Not only has the EDPS weighed in with its opinion on how the final draft of the GDPR should read, it has also released a downloadable app that expresses its opinion alongside redlined drafts of the GDPR from the European Commission, the European Parliament and the Council of the European Union.
Now you, too, can compare the EDPS’s recommendations on the various drafts from the comfort of your mobile device. Download it from Google Play here. Grab it from the iTunes store here. Or, should you be old school, get it all via pdf here through your browser.
Not surprisingly, the EDPS’s points closely mirror those of the WP29. However, the notable step here is that the EDPS has gone so far as to include a fleshed out suggested draft of the GDPR with its recommendations already incorporated, and the app allows anyone to compare that draft with both the original from the Commission, or either draft from the Parliament or Council. As Politico noted, this fourth text is 30 percent shorter than any other version, indicating a more direct approach “intended to provide transparency and brevity.”
In fact, this was one of the three most-highlighted pieces of the WP29’s suggestions, that the GDPR should be simple and clearly written, with compliance details coming via guidance of the European Data Protection Board, which would be newly created by all of the GDPR drafts.
Similarly, the EDPS uses one of its three initial statements to say the European Data Protection Board must be “fully operational as soon as the regulation becomes applicable” and that “excessive detail or attempts at micromanagement of business processes risks becoming outdated in the future.” A less proscriptive regulation that leaves room for DPAs to interpret based on current technology and societal norms is clearly important to the EDPS.
So, where does the EDPS place emphasis in its proposition? Firstly, the EDPS comes right out of the gate by somewhat dismissing the privacy protections provided by pseudonymised data—something the WP29 also guarded against, but further down and more obscured in its recommendations. In the EDPS’s very first point, it states, “Individuals should be able to exercise more effectively their rights with regard to any information which is able to identify or single them out, even if the information is considered ‘pseudonymised’.” Yes, that word is in quotes, and that definition of PII is definitely as broad as possible.
This is an even more direct approach than that taken by the WP29, which backed the concept of pseudonymisation as a security measure while saying pseudonimysed data should not be in its own category in the regulation.
Further, the EDPS makes no bones about its position on “legitimate interest” processing: “[t]he EU should preserve, simplify and operationalize the established notion that personal data should only be used in ways compatible with the original purposes for collection.” And the EDPS “strongly” advises against permitting transfers on the basis of legitimate interests of the controller because of the "insufficient protection for the individual.”
The EDPS also calls for the regulation to reverse the trend of profiling and targeted advertising based on “secret tracking”; complete and total data portability from one controller to another based on user request, and “data protection by design and by default.” At the same time, it calls for “a better equilibrium between public interest and personal data protection,” and says that rules should not hamper research that “is genuinely in the public interest.” Further, researchers and archivists should be able to store data for as long as necessary, as long as there are appropriate safeguards to protect privacy and the nefarious use of the information.
As for a comparison of the EDPS draft to the three other existing drafts, the differences are legion and numerous, starting with something as seemingly benign as the GDPR’s “Subject Matter and Objectives” section, where the EDPS inserts “human dignity” into the list of things the GDPR seeks to protect.
Significantly, the EDPS sides with the Parliament in applying the regulation to the processing of data “irrespective of the method of processing,” using the broadest possible definition, and in not making an exemption for the “safeguarding against and the prevention of threats to public security," but sides with the Council in saying that the regulation does not apply to EU institutions, bodies, offices and agencies.
The EDPS also sides with the Council in limiting the GDPR’s scope to a processor or controller in the EU, whereas the Parliament would like the GDPR to apply “whether the processing takes place in the Union or not.” It does not agree with the Council, however, that the monitoring of data subjects should only be covered if their behavior takes place in the EU.
Finally, a quick look at how the EDPS comes down on some of the bigger issues generally discussed with the GDPR:
Right To Be Forgotten: Like the Parliament draft, the EDPS’s draft simplifies it to “Right to Erasure,” and simplifies the criteria by which a controller must erase. While the Council invokes legitimate interest grounds for continuing processing even after a request for deletion, the EDPS says you can’t process if the data subject objects. End of story. Further, it agrees with the Parliament that if a controller makes data public without legal ground, it must take steps to erase that data and inform the subject.
Profiling: The EDPS prefers the continued use of the term “profiling,” rather than the Council’s “Automated individual decision making,” and is unequivocal in saying automated profiling must not produce “legal effects.” Exceptions are largely those suggested by Parliament.
The Controller’s Accountability: The EDPS is the most simple in its statement here by far. Pointedly calling it the “accountability of the controller,” the EDPS text says “data shall be processed under the responsibility and liability of the controller.” Not much wiggle room there.
Data Protection by Default: Again, the EDPS draft mostly just simplifies the definitions and is more direct in its language. This leaves a great deal of interpretation for the European Data Protection Board. What are “appropriate solutions”?
Security of Processing: The EDPS chooses not to include wording about the costs and difficulties of security, as the Council text does, and would require “security appropriate to the risk” as determined by a data protection impact assessment. Again, its recommendations are far simpler than either the Parliament or Council text. It agrees with both texts that the Commission should not be able to proscribe certain mandatory security measures.
Breach Notification: The EDPS sides with the Council here, recommending a breach notification period of 72 hours, rather than 24 hours, if the breach is “likely to result in a risk for the rights and freedoms of individuals.” The EDPS text also allows that the information provided, such as about what steps to take to mitigate risk, can be provided to subjects in phases.
Mandatory Data Protection Officer (DPO): The EDPS, like the Commission, would require a DPO for all public authorities processing data. However, instead of requiring one for enterprises employing more than 250 persons, as the Commission does, it sides with the Parliament that a DPO would be required if the controller’s or processor’s operations would “imply regular or systemic monitoring of data subjects or a high level of risk.” Also, the EDPS would allow one DPO to work for more than one enterprise and would require them to be designated “on the basis of professionals qualities and, in particular, expert knowledge of data protection law,” with no equivocations for the type of data being handled.
Certification Bodies: The EDPS, somewhat similarly to the Commission and Council, would encourage third-party certification, while the Parliament would like certification to be done by the DPAs themselves.
One-Stop Shop: In a somewhat unique description of competence, the supervisory authority of the country in which a company is based will be designated as the “lead supervisory authority.” This lead authority “shall be the sole authority empowered to decide on measures intended to produce legal effects as regards the processing activities of the controller or processor for which it is responsible.” However, a subject from another country could make a complaint to their own DPA, which could then take the complaint to the lead authority. If, after three weeks, the lead DPA did not take action, the home DPA could then take action of their own, with the lead DPA acting as the “interlocutor of the controller or processor for their transnational processing.” The DPA cannot charge the subject for taking up the case.
It remains to be seen what the trilogue negotiators will do with the EDPS recommendations. Whether these recommended language changes will find their way into the final texts is impossible to know. However, the EDPS does have a respected voice in the data protection community, and it’s hard to think the recommendations, especially as they are so clearly and painstakingly outlined, will be completely ignored.
If you want to comment on this post, you need to login.