On 5 November 2014, Peter Hustinx, the European Data Protection Supervisor (EDPS), together with Germany’s Federal Data Protection Commissioner, Andrea Voβhoff, held a panel discussion in respect of the state of play and perspectives on EU data protection reform.

Although participants identified a number of key outstanding issues to be resolved prior to the conclusion of the reform process, there was some optimism that such issues could be overcome, and the process completed, before the end of 2015.

Background

The EDPS is an independent supervisory authority whose members are elected by the European Parliament and the Council in order to protect personal information and privacy, in addition to promoting and supervising data protection in the European Union’s institutions and bodies.  The role of the EDPS includes inter alia advising on privacy legislation and policies to the European Commission, the European Parliament and the Council and working with other data protection authorities (DPA) to promote consistent data protection throughout Europe.

The proposed data protection regulation is intended to replace the 1995 Data Protection Directive (95/46/EC) (the Directive) and aims not only to give individuals more control over their personal data, but also make it easier for companies to work across borders by harmonising laws between all EU Member States.  The European Parliament and the Civil Liberties, Justice and Home Affairs (LIBE) Committee have driven the progress on new data protection laws, but there has been frustration aimed at the Council of Ministers for their slow progress.  Following the vote by the European Parliament in March 2014 in favour of the new data protection laws, the next steps include the full Ordinary Legislative Procedure (co-decision procedure), which requires the European Parliament and the Council to reach agreement together.

The panel discussion attendees were made up of institutional representatives and key figures involved in the EU Data Protection Reform Package, including: Stefano Mura (Head of the Department for International Affairs at Italy’s Ministry of Justice); Jan Albrecht MEP (Vice-Chair and Rapporteur of the European Parliament LIBE Committee); and Isabelle Falque-Pierrotin (President of CNIL and Chair of the Article 29 Working Party).  The purpose of the panel discussion was to consider the outstanding issues and next steps to finalise proposals on EU data protection reform, particularly in the context of the recent CJEU rulings on data retention and the right to be forgotten.

Key Messages

The key points raised during the panel discussion included:

  • There is optimism that the reform process will be completed in the next year subject to resolving outstanding issues, such as:
    • Whether public authority processing should be included in the proposed data protection regulation – Andrea Voshoff commented that this issue was being considered by the Council of Ministers Committee in relation to the introduction of a clause preventing the lowering of standards by national laws.  Stefano Mura added that while there is a desire for both a uniform approach between the EU Member States and a right for Member States to regulate their own public sectors, a balance should be achievable; and
    • How to deal with the recent and expected future case law in respect of the right to be forgotten.  Andrea Voshoff commented that guidelines were needed for such cases in order to balance data protection principles against freedom of expression.  Furthermore, it was commented there was a requirement that the proposed regulation should deal with both access to such information but also its creation.
  • The discussions on rules applicable to the public sector and dispute resolution may take some time due to difficulties of coordination at the national level.  However, the proposed Data Protection Board “one-stop shop” was suggested as being a good example of balancing the need for a uniform approach for data controllers while providing remedies for data subjects.
  • Adoption of the proposed data protection regulation needs to be completed in 2015 because inter alia:
    • The proposed regulation would provide unity and increased credibility to DPAs;
    • New compliance tools and stronger sanctions are required;
    • In the wake of the Snowden revelations, there is a public expectation of a uniform approach to European data protection; and
    • Technology and the digital economy has advanced significantly since EDPS’ 2007 Opinion that change to the Directive was unavoidable.
  • The use of pseudonymisation techniques on personal data should not result in a lower standard of protection applicable to such data.
  • Despite the urgency to finalise the proposed regulation, key issues should not be ignored and a consensus achieved as to its scope and approach – otherwise the regulation risks being ineffective.

Comment

The Council are still reviewing the draft data protection regulation at a technical level and negotiations on the proposed text between the Council and the European Parliament will only begin once the Council is ready.  The earliest that there could be agreement on the draft regulation is likely to be the first half of 2015 – the expectation would then be that the revised data protection framework will come into force in 2017.