On March 20, 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) held legislative deliberations regarding the European Commission’s proposed General Data Protection Regulation (”Proposed Regulation”). The LIBE Committee Chair, Juan Fernando López Aguilar, noted that 2,783 amendments to the Proposed Regulation and 504 amendments to the proposed Police and Criminal Justice Directive (“Proposed Directive”) have been tabled.
LIBE lead rapporteur Jan Philipp Albrecht noted that the fundamental principles of the European Data Protection Directive 95/46/EC are not in dispute, and that the purpose of the Proposed Regulation is to harmonize implementation of data protection principles across Europe and with respect to new technologies. He advocates a unified framework, preferring a single legal instrument as opposed to both the Proposed Regulation and Proposed Directive; at a minimum, a single instrument for general data processing is important. Rapporteur Albrecht considers that key objectives of the Proposed Regulation should be to harmonize and strengthen individuals’ rights and to provide legal certainty. He is optimistic that the Proposed Regulation can be settled during the current Irish presidency of the Council of the European Union.
Director General Le Bail
Françoise Le Bail, Director General for the European Commission’s Directorate-General Justice, is similarly optimistic that the Council will be able to reach political agreement on the Proposed Regulation by June 2013. She highlighted as key issues the wide scope of the Proposed Regulation, the broad definition of “personal data,” the “one-stop-shop” concept and the importance of sanctions.
- Scope of the Proposed Regulation: The Proposed Regulation should apply to EU citizens, regardless of residency.
- Definition of “personal data”: The current broad definition is of crucial importance and must be maintained. In particular, personal data relating to individuals acting in their professional capacity (e.g., job title, work address) are covered by the definition. The Commission is prepared to work with the Council and Parliament on a definition of “pseudonymous” data, but the current levels of data protection for personal data must be maintained.
- The “one-stop-shop”: The lead authority concept is an essential pillar of the Commission’s proposal and is a key element in simplifying data protection rules for companies operating across the borders of Member States. The existing provisions on the one-stop-shop concept require clarification to ensure that the drafting reflects the Commission’s desire to encourage simplification.
- Sanctions for non-compliance: For Director General Le Bail, “a strong system means fines.” Without sanctions, the reforms will not be meaningful. Further, the Commission supports all proposed amendments that would strengthen data protection authorities, which are considered of “essential” importance under the revised framework.
Shadow Rapporteur Voss
European Parliament shadow rapporteur Axel Voss emphasized the need to achieve a balance between the interests of individuals and businesses, and between existing business models and new technologies. He stated that the fundamental principles of Directive 95/46/EC should be preserved, but modifications and improvements are needed in certain areas (e.g., online processing). The Proposed Regulation should not be a reworking of Directive 95/46/EC. Voss called for clarification, in particular for the definitions of “personal data,” “pseudonymous data” and “anonymous data.” Voss also cautioned against overly restrictive wording in the Proposed Regulation since the rules need to be flexible, and against excessive bureaucracy, calling for a better balance in the administrative provisions and a high degree of self-regulation. In particular, he urged that the provisions relating to high-risk processing activities must still be practical and workable.
Shadow Rapporteur Ludford
Shadow rapporteur Sarah Ludford was appointed just last week to replace Alexander Alvaro following a serious injury. Ludford encouraged LIBE Committee members to read Alvaro’s draft amendments to the Proposed Regulation, which demonstrate Alvaro’s creative approach to the issues. In particular, she noted Alvaro’s amendments emphasize the importance of the context of data processing activities, especially the degree of risk involved and the likelihood of data subject identification. Ludford urged that the Proposed Regulation should strike a balance between achieving a high level of data protection and economic value and job creation in the EU, noting that the two concepts are not mutually exclusive. In particular, she pointed to media coverage regarding business concerns over the Proposed Regulation’s inflexibility as being both inaccurate and unhelpful.
European Data Protection Supervisor Hustinx
European Data Protection Supervisor Peter Hustinx had provided a letter to LIBE on March 15 and presented his comments at the deliberations. He urged the LIBE Committee to follow Voss’ report. He stated that the Commission’s definition of “personal data” should be maintained and emphasized that pseudonymous and encrypted data are both clearly personal data. Hustinx disagreed that the scope of the Proposed Regulation should apply to “residents of the EU,” as opposed to “citizens.” He strongly supported the Commission’s emphasis on explicit consent. Regarding the “legitimate interests” basis for data processing, he cautioned that this involves a balancing test that must be determined on a case-by-case basis. He argued against listing presumptions and rules of thumb that would, in his view, lead to confusion.
Article 29 Working Party Chairman Kohnstamm
Jacob Kohnstamm, Chairman of the Article 29 Working Party, endorsed the Proposed Regulation, and was “even more positive about the Rapporteur’s proposals.” He particularly welcomed Rapporteur Albrecht’s proposed amendments with respect to the lead authority concept, and proposed sanctions for non-compliance.
- The “one-stop-shop”: Kohnstamm welcomed the lead authority concept, but, as per Rapporteur Albrecht’s proposed amendment, he thinks that the lead authority should not have exclusive jurisdiction. He also urged that data controllers should not be able to determine their place of “main establishment” as this could lead to forum shopping. Where there is any uncertainty as to an entity’s main establishment, this should be determined by the European Data Protection Board.
- Sanctions for non-compliance: Kohnstamm welcomed a wider margin of appreciation for data protection authorities in relation to sanctions, in particular, in deciding whether or not to impose sanctions for unintentional breaches of the Proposed Regulation.