This post was written by Cynthia O’Donoghue.
On 23 and 24 February 2012, the General Secretariat to the EU presented the proposed Data Protection Regulation to the EU Working Party on Information Exchange and Data Protection (DAPIX), stating that the new proposals were motivated by the European Commission’s (EC) desire to stimulate growth across the EU and the need to protect the fundamental rights of European citizens. The EC’s justification for the proposed overhaul of existing European data privacy legislation was triggered by technological developments that have taken place since the 1995 EU Data Protection Directive, and the global trend towards a digital economy.
In addition, the General Secretariat distributed to the delegates a comparative table of the first 21 articles of the draft General Data Protection Regulation against the 1995 Directive.
The EC set out four key objectives underlying the proposal for a Data Protection Regulation: (1) stimulation of growth through the uniform application of data protection rules across the EU; (2) protection of fundamental rights; (3) adoption of flexible legal instruments capable of adapting to future technologies; and (4) legal certainty.
A summary of the discussions was published on 8 March 2012. Delegates of the DAPIX raised various issues with the draft Regulation, including that the Commission could have been more radical in its proposals. In contrast, many of the DAPIX delegates raised serious concerns about the draft Regulation, fearing that it would increase the administrative burden on organizations and public authorities.
Concerns were raised about obligations on small and medium-sized businesses, the specific obligation on organizations with more than 250 employees to appoint a data protection officer, and rules applicable to individuals rather than utilizing a more risk-based approach.
DAPIX also reviewed the proposed legislative instruments of a Regulation and Directive on data protection in law enforcement, with some of the delegates stating they would have preferred another directive on the basis that a regulation could be too prescriptive.
DAPIX also criticized the delegated powers of the EC under the draft Regulation on the basis that there was an unbalanced division of power between the legislator (the European Council and Parliament) and the EC, which could undermine the desire to simplify data protection rules, and that such delegated acts could lead to modification of the EU Member States’ national legislation.
The delegates also raised strong reservations surrounding the geographical scope concerning the ‘one-stop shop’ principle that makes one Data Processing Authority (DPA) competent for all data processing operations throughout the EU, fearing that organizations would then forum shop, and that it would create an excessive administrative burden on some national DPAs. Other delegates, however, welcomed the ‘one-stop shop’ principle.
Delegates raised additional concerns about whether the draft Regulation is sufficiently technology-neutral, and whether concepts such as the right to be forgotten and the right to data portability were technically feasible, as well as the possible overlap with the e-Privacy Directive.