Our analysis of the European Commission's proposal for a Data Protection Directive

On 25th January 2012, the European Commission published a proposal that would comprehensively reform the European data protection legal regime. One aspect of the proposal, a new Regulation (the “Proposed Regulation”),1 would modernise and further harmonise the data protection regime created by the Data Protection Directive (95/46/EC). Another aspect of the Commission’s proposal, a new Directive (the “Proposed Directive”), would set out new rules on “the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data”.2 The attached paper summarises the key elements of the Proposed Directive.

Early reactions to the Proposed Directive were critical. The European Data Protection Supervisor (“EDPS”) declared that it “does not meet the requirement of a consistent and high level of data protection”3 and the Article 29 Data Protection Working Party (“WP29”) stated that it is “disappointed by the Commission’s level of ambition and underlines the need for stronger provisions”.4 It further states that, as a result of political constraints, the Proposed Directive does not mandate a sufficiently high level of data protection.

Privacy International strongly supports these conclusions and considers that the EU Commission drafters have failed in their duty to ensure a high level of data protection for EU citizens across the board, both in the private and public sector. Police and judicial cooperation in the context of law enforcement is an area where sensitive personal data is likely to be involved, and therefore citizens may be put at particular risk. We are therefore looking to the Parliament and the Council to ensure that a high level of data protection by the relevant public authorities is mandated throughout the EU.

The below document identifies areas where data protection is not robustly mandated in the Proposed Directive; it also identifies areas where Privacy International calls for improvements that, if implemented, would make the Proposed Directive more comprehensive and more protective of individual privacy in the law enforcement context. It concentrates in particular on strengthening two essential aspects in the Proposed Directive: (i) the rights of the data subject and (ii) the obligations of the controller. By doing so, it can become more in tune with the Proposed Regulation.

Our five key findings are:

1. The data processing principles are less ambitious and more ambiguous than those in the Proposed Regulation.
2. The rights of data subjects are significantly weaker than they would be under the Proposed Regulation.
3. Controllers are subject to fewer, and vaguer, obligations than they would be under the Proposed Regulation.
4. Transfer rules are unclear, and less restrictive than they could be.
5. Supervisory authorities have fewer powers of oversight, and much weaker powers of interference or enforcement.

Please note that, as defined in the Proposed Directive, references to “controller” in the attached document are references to a “competent public authority that alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law”. In most cases, the chart summarises “Existing Requirements of the Proposed Directive” as if Member States have already fulfilled the requirements of the Proposed Directive. All references to “data” are references to “personal data”.

Footnotes

1.See COM(2012) 11 Final, 2012/0011 (COD).
2.See COM(2012) 10 Final, 2012/0010 (COD).
3.See EDPS Opinion, 7 March 2012, “EDPS applauds strengthening of the right to data protection in Europe, but still regrets the lack of comprehensiveness”.
4.See Article 29 Data Protection Working Party Opinion, 23 March 2012, 00530/12/EN, WP 191, “Opinion 01/2012 on the data protection reform proposals”.