Two new Opinions from this influential EU advisory body have been adopted and were published on the Article 29 Working Party’s web site on 29 March.
The first in importance, adopted on 23 March, is the Opinion on the data protection reform proposals. Not only are the proposals themselves subject to a detailed critique but the Opinion is also one shot in what may be a long battle for influence between the Working Party and its successor organisation (the newly proposed European Data Protection Board) on the one side and the European Commission on the other. The data protection reform proposals envisage a much more consistent policy across Member States and one plank in that policy is an increased role for the Commission. The Article 29 Working Party ‘has strong reservations with regard to the role foreseen for the Commission in individual cases which have been dealt with under the consistency mechanism, as it encroaches upon the independent position of DPAs’. An extract from the Opinion is to be found below.
The Opinion on face recognition in online and mobile services appears to have been published in some haste even though adopted on 22 March. As the Opinion notes, there has been a ‘rapid increase in the availability and accuracy of facial recognition technology in recent years. Furthermore this technology has been integrated into online and mobile services for the identification, authentication/verification or categorisation of individuals. The technology, once the subject of science fiction, is now available for use by both public and private organisations. Examples of use in online and mobile services include social networks and smartphone manufacturers.’ The Opinion includes nine recommendations relating to consent, the provenance of images, limits on the use of images and templates, security during transit and storage, data minimisation and subject access.
The Opinion on the data protection reform proposals includes an Introduction which is as follows:
The Article 29 Data Protection Working Party (Working Party or WP29) welcomes the proposals adopted by the European Commission that seek to reinforce the position of data subjects, to enhance the responsibility of controllers and to strengthen the position of supervisory authorities, both nationally and internationally. Subject to further improvement the rules proposed can significantly reduce the existing fragmentation and strengthen data protection across Europe.
The Working Party in particular welcomes the inclusion of provisions that give incentives to controllers to invest, from the start, in getting data protection right (such as data protection impact assessments, data protection by design and data protection by default). The proposals place clear responsibility and accountability on those processing personal data, throughout the information life cycle.
The Working Party underlines the importance of the provisions intended to clarify and strengthen data subjects’ rights, notably by clarifying the notion of consent, the introduction of a general transparency principle and enhanced redress mechanisms. Also, the introduction of a data breach notification duty that provides consistency across all sectors is very welcome.
The Working Party also welcomes the fact that the proposals harmonise the powers and competences of supervisory authorities to more effectively ensure and where necessary enforce compliance, both individually and in cooperation with each other, for example, by being able to impose significant fines.
Despite its general positive stance toward the proposed Regulation, the Working Party feels that parts of the proposal for a Regulation need clarification and improvement. With regard to the Directive for data protection in the area of police and justice, the Working Party is disappointed by the Commission’s level of ambition and underlines the need for stronger provisions.
The Working Party has carefully studied both proposals and with this opinion provides its first general reaction to them. The opinion highlights areas of concern and where appropriate makes suggestions for improvement. Where appropriate, the Working Party may produce further opinions on specific provisions or aspects of the proposals in the future.
The Working Party calls on the Council and members of the European Parliament to take the opportunity to improve both proposals and enhance the protection of personal data in the European Union.
General remarks
The Regulation fulfils the ambition to produce a text that reflects the increased importance of data protection in the EU legal order (Article 16 of Treaty, Article 8 of Charter). It retains and strengthens the core principles of data protection, imposes clear and uniform obligations on data controllers and processors, facilitates free movement of personal data and provides a strengthened legal framework for a uniform application of the law by Data Protection Authorities (DPAs) whose powers have been strengthened.
The Working Party is disappointed that its views on comprehensiveness have not resulted in one legal instrument. The Working Party notes the fact that the Commission has chosen to present a separate proposal for a Directive applicable to the area of police and criminal justice due to political constraints. A high level of consistent data protection standards also applying to this area is all the more needed. In any case, it should be clear that the new Directive must not result in Member States lowering their current data protection standards set for the police and criminal justice sector. Also, the new legal framework should be in line with other international agreements, including Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and its additional protocol. The Working Party proposes to have a clear reference in the preamble of the Regulation and of the Directive to Convention 108 and its additional protocol.
In previous opinions, the Working Party has stressed the need for comprehensiveness to be achieved by the legal framework. From that point of view, the Directive is disappointing in its lack of ambition compared to the Regulation. The fact that two legal instruments have been presented does not necessarily mean that a comprehensive legal framework is no longer possible, as long as the goal is the same – to achieve a high level of data protection for the European citizen across the board – and that the instruments contain a common approach to, among others, the principles of data protection, data subject rights and the obligations for controllers and processors.
Serious efforts from the European legislator are needed during the legislative procedure to bring the substantive provisions of the Directive closer to those of the Regulation and to ensure consistency in both texts.
Furthermore, the EU institutions should be bound by the same rules that apply at Member State level. Therefore, for the reform to be truly comprehensive, at the moment when the Regulation enters into force, the framework for data protection for the European Union’s institutions as currently laid down in Regulation 45/2001 needs to be aligned with it.
The same reasoning goes for the current specific rules for data processing in the former third pillar of the EU, for example in relation to EU agencies like Europol and Eurojust. The Working Party notes the practical difficulties that may exist to propose a general overhaul of the current acquis, but at the same time believes the same high level of data protection should in the end be applicable to all data processing in this area, including the EU bodies.
That said, the Working Party notes the commitment of the Commission to ensure a revision of other legal instruments to identify the need for alignment in three years. The Working Party recommends the legislator to set a much stricter deadline and calls upon the Commission to indeed put forward such proposals. At the same time the Working Party acknowledges that the current data protection regimes for some existing instruments and bodies are furtherreaching than the proposed Directive. As is mentioned for Member States with a similar situation, alignment of current regimes with the Directive should in no case mean lowering a current data protection standard.
On another note, the Working Party regrets that neither the Regulation nor the Directive addresses the issue of the collection and transfer of data by private parties or non-law enforcement public authorities that are in fact intended for law enforcement purposes, as well as the subsequent use of these data by law enforcement authorities. Several examples in the last decade (i.e. PNR, retention of telecommunications data) have made clear that strict conditions are needed, especially when such processing happens on a structural basis. The same applies the other way around: also rules are needed to ensure data protection when information is transferred from law enforcement or other “competent” authorities to the private sector or other public authorities.
Lastly, with regard to both proposed instruments, the Working Party notes with concern the extent to which the Commission is empowered to adopt delegated and implementing acts. While recognising the need to ensure that certain issues can be dealt with at a more detailed level at a later stage, the Working Party considers this is not the case, for example, for rules regarding data breach notifications. In order to ensure legal certainty essential elements should be inserted in the Regulation itself, as provided for by Article 290 TFEU.
