The Article 29 Data Protection Working Party has adopted an opinion providing further guidance on the European Commission's proposals for a revised data protection legislative framework. (Free access.)
The Article 29 Data Protection Working Party has adopted an opinion providing further guidance on the European Commission's proposals for a revised data protection legislative framework. It repeated its earlier approval of the broad definition of personal data and the standard of consent adopted by the draft Regulation, but opined that the focus should not be on those definitions but rather on the operative provisions of the draft (and the exceptions to them) where there were concerns that applying the Regulation might lead to disproportionate outcomes. The Working Party was also critical of the amount of secondary legislation that the Commission had retained for itself in the draft and suggested alternative approaches in specific circumstances. The opinion highlights the continuing tension between the Working Party and the Commission over the Commission's role under the proposals. Further, the Working Party's suggestion that specific matters should ultimately be left to the ECJ does not encourage legal certainty.
If you don’t yet subscribe to PLC, you can request a free trial by completing this form or contacting the PLC Helpline.
Background
The EU's data protection regime is currently set out in Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, with which all EU member states must comply (see Practice note, Overview of EU data protection regime).
The Working Party has adopted an opinion providing further guidance on the European Commission's proposals for a revised data protection legislative framework. In summary, the Working Party repeated its earlier approval of the broad definition of personal data and the standard of consent adopted by the draft Regulation. However, it opined that the focus should not be on those definitions; but rather on the operative provisions of the draft Regulation (and the exceptions to them) where there were concerns that applying the Regulation might lead to disproportionate outcomes. The Working Party was also critical of the amount of secondary legislation that the Commission had retained for itself and suggested alternative approaches in specific circumstances. The key aspects of the opinion are set out below.
Personal data
The Working Party opined that a natural person could be considered identifiable when, within a group, they could be distinguished from the group and consequently treated differently. It therefore suggested broadening the definition of data subject to include not only identified or identifiable natural persons, but also those who could be singled out and treated differently.
Consent
The Working Party responded to criticism that it might be unfeasible to include within Article 4(8) of the draft Regulation the requirement that a data subject's consent be explicit by stating that it would be highly undesirable to delete the word explicit from the draft. It noted the requirement was needed to enable data subjects to exercise their rights fully, particularly in the context of the internet where the Working Party opined that there was abuse of the way in which consent was interpreted.
The Commission's powers
The Working Party was critical of the amount of secondary legislation the Commission had reserved for itself under the draft Regulation. It opined that a number of the areas which the draft proposed should be implemented through delegated acts could be dealt with through interpretative guidance from the Working Party's successor under the Regulation, the new European Data Protection Board (EDPB). Ultimately, it suggested that, in certain areas, rather than implement secondary legislation, it should be left to the ECJ to address gaps in the Regulation.
The proposed secondary legislation mainly concerns developing further criteria, conditions or requirements to underlie certain provisions of the draft Regulation.
The Working Party opined that of these, the following could be addressed through EDPB guidelines rather than delegated acts:
Lawful processing. The circumstances in which the ground of legitimate interest to support processing could be invoked and the assessment of whether such interests were overridden by the interests or fundamental rights and freedoms of the data subject (Article 6).
Sensitive personal data. The appropriate safeguards for processing sensitive personal data (Article 9).
Impact assessments. The assessment of whether a processing operation presented a specific risk to the rights and freedoms of data subjects (although the Working Party recognised that this could equally be addressed by a delegated act) (Article 33).
The Working Party opined that the following should be addressed in the text of the Regulation itself rather than through secondary legislation:
Sensitive personal data. The specific public interest exemptions to the general prohibition on processing of sensitive personal data (Article 9).
Data breaches. The criteria and requirements for identifying and notifying a data breach, and the circumstances in which a breach would be likely to affect a data subject adversely (Articles 31 and 32).
Cross-border transfers of personal data. The derogation from the prohibition on transfer based on important grounds of public interest (Article 44).
Processing for the purposes of historical, statistical or scientific research. Any additional requirements required for this type of processing (Article 83).
Finally, the Working Party opined that the following needed no further elaboration in secondary legislation (although in certain circumstances EDPB guidance might be helpful):
Consent. Methods of obtaining verifiable consent from children (Article 8).
Sensitive personal data. The criteria and conditions for processing sensitive personal data (Article 9).
Subject access. The criteria and requirements for communicating personal data to the data subject, together with any available information relating to their source (Article 15).
Data protection "by design". The criteria and requirements for implementing this aspect of the Regulation (Article 23).
Processors. A data processor's responsibilities, duties and tasks (Article 26).
Data security. Implementing technical and organisational measures ensuring an appropriate level of security (Article 30).
Comment
The opinion highlights the continuing tension between the Working Party and the Commission over the Commission's role under the proposals. The Working Party is keen to restrict the Commission's powers in several areas. Unsurprisingly, it suggests shifting responsibility in a number of these to the EDPB (the Working Party's successor) in the form of non-binding guidance. Elsewhere, the Working Party's suggestion that specific matters should ultimately be left to the ECJ does not encourage legal certainty.