In its Opinion 01/2012 of 23 March 2012, the Article 29 Working Party highlighted areas of the draft Data Protection Regulation which need clarification and improvement (see our Client Bulletin of 17 April 2012 for more information).

The Article 29 Working Party has now issued another Opinion 08/2012 which provides further guidance on the draft Regulation. The Working Party notes that some of those who have raised concerns about the impact of the draft Regulation have focussed their attention on the concepts of ‘personal data’ and ‘consent’. The Working Party believes that this is mistaken, as in order to properly protect the privacy of personal information it is necessary to adopt a broad definition of 'personal data' and to ensure that where consent is relied on, the consent is of a high standard. 

On the definition of ‘personal data’ the Working Party notes that a natural person can be considered identifiable when, within a group of persons, he or she can be distinguished from other members of the group and consequently be treated differently.  This has been set out in the earlier Opinion of the Working Party on the concept of personal data (Opinion 4/2007). The Working Party recommends that the draft Regulation should be amended in order to clarify that the notion of identifiability also includes singling out in this way.

Further, the recitals relating to the draft Regulation provides that identification numbers, location data, online identifiers or other specific factors “need not necessarily be considered as ‘personal data’ in all circumstances”.  The Working Party notes that this sentence might lead to an unduly restrictive interpretation of the notion of personal data in relation for instance to IP addresses or cookie IDs.  It therefore suggests changing this sentence to provide that such factors “should as a rule be considered personal data”.

In regard to the concept of ‘consent’, the Working Party notes that doubts have been raised as to the feasibility of the word “explicit”.  The Working Party opines that the inclusion of this word is “necessary to truly enable data subjects to exercise their rights, especially on the internet where there is now too much improper use of consent”. 

The Working Party welcomes the introduction, in the draft Regulation, of a burden of proof on the controller, by introducing safeguards in the context of a written declaration, and by excluding the validity of the consent where there is a significant imbalance between the position of the data subject and the controller.  Such clarifications build on the Opinion of the Working Party on the notion of consent (Opinion 15/2011).

Opinion 08/2012