Our analysis of the European Commission's proposal for a general Data Protection Regulation
On 25th January 2012, the European Commission published a proposal that would comprehensively reform the European data protection legal regime. One aspect of its proposal, a new Regulation (the “Proposed Regulation”),1 would modernise and further harmonise the data protection regime created by the Data Protection Directive (95/46/EC). Another aspect of the Commission’s proposal, a new Directive2 (the “Proposed Directive”), would set out new rules on “the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data”.3
As regards the proposed Regulation, we believe that on the whole it goes a long way towards ensuring that data protection law is capable of adequately responding to contemporary and emerging threats to the right to privacy. Importantly, it goes some way towards ensuring that all citizens of EU member states will have equal access to these protections. It starts from the standards and principles set out in the current Directive (95/46/EC) and further enhances, elaborates and develops these. As a result it ensures more control on the part of the individual citizen/consumer for example with regards to access, correction and deletion and by attempting to ensure that these rights are meaningful in practice. It also attempts to ensure more effective enforcement by independent authorities with more teeth, as well as better possibilities for redress for individuals, including through the right of associations or organisations representing citizens and consumers to take collective action. We also welcome the emphasis on responsibility and accountability of controllers for building privacy in their systems (“privacy by design”), and the requirement for breach notifications.
However, the Regulation also has a number of weaknesses, which have the potential to undermine severely the rights of individuals. Some aspects require clarification or improvement. In the attached document we identify priority areas where data protection is not robustly mandated in the proposed Regulation, and where we call for improvements that, if implemented, would make the proposed Regulation more comprehensive and more protective of citizen and consumer privacy. Each section gives a summary, followed by suggestions for improvements or amendments for specific articles.
Our key messages are:
- The definition and accompanying recital of ‘data subject’ (and therefore ‘personal data’) leaves potential loopholes for people to be singled out but not protected.
- Legitimate interest can provide a convenient loophole for abusive or excessive processing.
- ￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼Further non-compatible use of personal data completely undermines the purpose limitation principle, one of the fundamental pillars on which data protection is based.
- Provisions for subject rights against profiling are weak, and leave open the door for discrimination.
- Restrictions possible for public interest reasons, which are not properly defined, could render all the rights and obligations in the Regulation null and void.
N.B. The chart uses for the most part the same terminology as defined in the regulation, e.g. data subject, controller, etc. Data when used on its own means personal data.
1.See COM(2012) 11 Final, 2012/0011 (COD).
2.See COM(2012) 10 Final, 2012/0010 (COD).
3.See Privacy International's Summary analysis of European Commission proposal for a Data Protection Directive in the law enforcement sector.