When it was first announced, we looked at the Commission’s proposals for reform of the EU data protection regime. There are now two proposals in place:
- a General Data Protection Regulation (“GDPR”); and
- a Directive which will address law enforcement matters.
The GDPR has been gathering momentum in recent months. The EU Council adopted its general approach to the draft legislation on 15 June 2015. This created the impetus for “trilogue” discussions beginning between the Commission, the Council and the Parliament. Two initial meetings were held in June and July. Discussions will resume in earnest this month. Lead negotiators have set a notional target for the adoption of the GDPR by the end of 2015. It is likely that this may slip into early next year, however.
The Article 29 Working Party (“A29WP”) is an independent advisory body composed of representatives of national Data Protection Authorities (“DPAs”). It is tasked with safeguarding data protection rights of EU citizens and residents.
The A29WP wrote to representatives of the Commission, Council and Parliament in June. It attached a document setting out its thoughts on key issues in the debate over the GDPR.
We’ve set out below ten things that any individual or business operating online needs to know about the A29WP’s views.
The Scope of the Directive
- Definition of Personal Data – “personal data” should be defined broadly. The concept of “identifiability” should include the capacity to single out an individual. Reflecting recent CJEU rulings, IP addresses and other online identifiers should be considered personal data.
- Territorial Scope – the GDPR should cover non-EU processors, where they act on the instructions of EU controllers.
- Household Exemption – the household exemption, which exempts the processing of personal data by an individual for personal, family or recreational reasons from data protection compliance, should be interpreted restrictively. It should apply to “purely” household activities only.
The Role of National DPAs
- Enforcement – DPAs should be given powers of enforcement to include the suspension of processing and significant fines.
- One-Stop Shop – This approach, which would allow organisations to deal with only the DPA of their country of main establishment rather than many DPAs across the EU, should be retained. However, amendments relating to DPA cooperation and proposals that citizens can seek effective remedies in the courts of their member state, should be supported.
- Consent – Data subjects’ informed consent must be obtained for a specific purpose with opt-in and opt-out provisions. Broad or generic consent is not acceptable.
- Pseudonymisation – Pseudonymisation is to be recommended as a security measure. However, it should not be introduced as a new category of data which is regulated less rigorously than personal data.
- Transfers – Justifying transfers to non-EU countries on the basis that such transfers are in the legitimate business interests of the data controller should be strictly exceptional.
- Portability – Data portability ought to be a separate and independent new right for data subjects.
- Profiling – Current drafts of the GDPR are insufficient to address profiling. Profiling means automated processing of personal data, intended to analyse or predict the personality or certain personal aspects relating to a natural person. Specific provisions relating to the purposes for which profiles may be created and specific information obligations should be added to the GDPR.
The next few months will determine the shape of European privacy regulation for the foreseeable future. It remains to be seen if the tough positions advocated by A29WP will make it into the final legislation. However, this is an issue which any business which uses the personal information of Europeans should follow closely.