The European Parliament, European Council, and European Commission recently entered negotiations known as a “trilogue” regarding the proposed General Data Protection Regulation (GDPR). In an effort to shape these discussions and promote transparency, the European Data Protection Supervisor (EDPS)—an independent EU institution charged with providing supervision and advice regarding privacy and other related fundamental rights—released Opinion 3/2015. The opinion includes the EDPS vision for “future-oriented rules on data protection” and a comparison between the proposed GDPR text and the EDPS recommendations. If the EDPS recommendations are embraced, the new data legislation will be simpler and more adaptable as technologies and data practices evolve.
If adopted, the GDPR will likely affect all individuals in the European Union (EU), all organizations in the EU that process personal data, and all organizations outside the EU that process personal data of individuals in the EU for many years to come. In light of this broad scope and potentially lasting application, the EDPS emphasized two main themes: (1) providing a better data protection package for individuals and (2) establishing practical, lasting rules.
The EDPS is quick to point out that, according to recent research, the majority of Europeans do not trust online businesses. The EDPS believes that the GDPR should strengthen individuals’ rights by preventing discrimination, increasing individual data processing transparency, and providing individuals with more control over their information. The EDPS does not envision a regulatory regime that constantly plays catch up, where anything goes outside of expressly and specifically prohibited activities. Rather, all data processing “must be both lawful and justified.”
Specific recommendations to protect individuals include the following:
- All personal data should be protected, including pseudonymous data that relate to a person who can be indirectly identified by reasonably likely means.
- The original purpose for data collection should be specified, explicit, and legitimate, and any data processing for a purpose incompatible with the original purpose should only be permitted under certain limited circumstances.
- Individuals should have a meaningful choice when consenting to data collection and processing. Notably, meaningful choice may be lacking where use of an online service is conditioned on consent to unnecessary data processing.
- Empower individuals by making their data portable.
- Controllers should conduct data protection impact assessments if processing operations present specific data privacy or security risks.
- Make it easier for individuals to obtain redress for GDPR violations, including representation by authorized organizations in proceedings.
Pragmatism and Looking Ahead
The EDPS offers some practical advice for improving the GDPR, including the following:
- Remember that clarity and simplicity are valuable to all stakeholders.
- Focus on genuinely necessary rules.
- Avoid details and formalities that can unduly interfere with businesses, innovation, and user experience.
- Avoid language and practices that are likely to become outdated.
- Focus on results rather than documentation, which should be a “means not an end to compliance.”
Specific recommendations for making the rules work in practice include the following:
- Rather than restricting particular activities, require more transparency from controllers, such as disclosing the logic behind and effects of data profile algorithms.
- The controller should be responsible and liable for data processing rather than requiring certain policies or measures.
- Breach notification requirements should be limited to where the breach “is likely to result in a risk for the rights and freedoms of individuals.”
- Encourage industry initiatives, including certification mechanisms.
Not surprisingly, the EDPS aims for stronger personal data protection rights and greater data controller accountability; however, the EDPS also expresses a desire to “facilitate innovation with a legal framework that is neutral towards the technology but positive towards the benefits the technology can bring to society.” Europe may yet conclude that, notwithstanding its belief that data protection is a fundamental right and despite collective mistrust of online businesses, a “Digital Single Market” empowered by rules that judiciously protect personal data and facilitate the use of technology could spawn streaming commerce.