On October 5, 2012, the Article 29 Working Party (the “Working Party”) issued an Opinion providing further input on the recent data protection reform discussions in the EU. The Opinion follows the Working Party’s first Opinion on the EU data protection reform proposals issued on March 23, 2012.
The Opinion indicates that the Working Party welcomes the steps undertaken by the Council of the European Union on the proposed reform (the “Regulation”) and provides further guidance, notably on the definition of personal data, the use of consent as a legal basis to process personal data, and the need for and the effect of the proposed “delegated acts” and more suitable alternatives.
The Definition of Personal Data
The Working Party notes in the Opinion that the definition of a “data subject” in Article 4(1) of the proposed Regulation does not “fundamentally change the notion of personal data” as currently defined in the EU Data Protection Directive. The Working Party suggests clarifying in Recital 23 and Article 4 of the proposed Regulation that personal data also covers “any information allowing a natural person to be singled out and treated differently.” The Working Party also recommends changing Recital 24 to explicitly consider IP addresses and cookies as personal data.
Regarding consent, the Working Party welcomes the fact that a burden of proof will be placed on the data controller to demonstrate that a data subject has consented to the processing of his or her personal data and notes in the Opinion that the use of consent as a legal basis to process personal data will be invalid if there is a significant imbalance between the position of the data subject and the data controller. The Working Party also approves the inclusion of the word “explicit” in the definition of “consent,” which it maintains “is necessary to truly enable data subjects to exercise their rights.”
The Proposed Delegated Acts
In the proposed Regulation, the European Commission granted itself the power to adopt a considerable number of “delegated” and “implementing” acts. A “delegated” act can be adopted to supplement or to amend non-essential parts of the Regulation while an “implementing” act can be used where uniform conditions are needed for implementing the Regulation.
While delegated and implemented acts can be a valuable instrument for providing further harmonization, the Working Party emphasizes that adopting such acts should only occur if the European Commission can demonstrate that the adoptions are necessary. Accordingly, in the annex to its Opinion, the Working Party has identified the provisions of the proposed Regulation in which delegated acts are mentioned and assessed whether a delegated act would be the most appropriate way for dealing with a particular data protection issue or if other alternatives, such as addressing the issue at the national law level or consulting the European Data Protection Board (the anticipated successor to the Working Party), would be more appropriate.
The data protection reform package is currently being discussed in both the European Parliament and the Council.