Following on from the Article 29 Working Party’s Opinion in June, the European Data Protection Supervisor (EDPS) has now published his own recommendations for the proposed General Data Protection Regulation (GDPR). Unsurprisingly, given that the EDPS is a member of the Working Party, the views expressed are in line with that Opinion. At this point you may be tempted to stop reading, but wait, there is more. In addition to expressing his vision of the GDPR and producing his own recommendations for every single article of the GDPR, the EDPS has demonstrated his commitment to practicality by making this all available as a mobile app. The app allows you to select which of the drafts you wish to see side by side, scroll rapidly through the contents to select a particular article, or search on the whole text so you can see at a glance what each version says, for example, about pseudonymisation or profiling. Whilst the app may have limited appeal, and is unlikely to keep small children entertained on long car journeys, it will be a thing of joy for its target audience.
The EDPS’ detailed proposal for the GDPR is prefaced by his “vision”, which is divided into three sections: a better deal for data subjects, rules which will work in practice, and rules which will last a generation. It emphasises the need to maintain and strengthen standards for the individual, and to take as a starting point “the dignity of the individual”. In this respect the proposal re-iterates the Article 29 Working Party’s concerns about the weakening of the principle of purpose limitation, and also re-states the need for bodies and associations to be able to bring complaints and claims, not just individuals.
The EDPS’ recommendations go on to express concern about the confusion of safeguards with formalities, and to call for a clearer, simpler text, which enables controllers to easily understand their technical obligations. It holds up as an example the EU competition manual “where a relatively limited body of secondary legislation is rigorously enforced and encourages a culture of accountability and awareness among undertakings” and recommends a significantly shorter, simpler Regulation. Apparently its own recommended version, which has been produced within the boundaries set by the existing drafts, is on average 30% shorter than the existing drafts. It suggests the gaps should be filled “by accountability and guidance from data protection authorities“. Whilst this raises the possibility of a lack of certainty as to what is required in certain areas pending the publication of such guidance, such an approach would allow for the flexibility the law will need if it is to last a generation. In this regard the recommendations make the point that if the GDPR has the same lifespan as the current Data Protection Directive, it may not be replaced until the late 2030s, by which time “data-driven technologies can be expected to have converged with artificial intelligence, natural language processing and biometric systems, empowering applications with machine learning ability for advanced intelligence“. It is a useful reminder of why the GDPR is not just another piece of legislation, but is critical for shaping all our futures.