This post was written by Cynthia O’Donoghue.
In the Article 29 Working Party’s Opinion on the new EU data protection reforms, the Working Party has carefully studied both the Regulation and the Directive, and has given its first general reaction. The Working Party welcomed the provisions intended to clarify and strengthen the rights of individuals, including clarification of consent, the introduction of a transparency principle and enhanced redress, as well as the proposals to harmonise the powers among the national data protection authorities (DPAs).
Despite the positive reaction, the Working Party stated its disappointment in having two legal instruments in a Regulation and a Directive, given that the objectives of the two instruments are the same and that a comprehensive legal framework is achievable.
In relation to the Regulation, the Working Party highlights positive aspects, including:
- Greater clarity through more precise definitions
- Greater rights for individuals regarding their data, such as more transparency, greater control over data processing and strengthened rights to data access
- Simplification and greater consistency for data controllers
- Introduction of Privacy by Design
- Data breach notification requirements
- The Right to be Forgotten, which it hopes will strengthen individuals’ controls over their personal data
- DPAs being given strengthened independence and powers, including fines
The Working Party also highlighted weaknesses, including serious reservations about the delegated powers reserved to the European Commission, as well as concern about the increased costs and resources needed by the DPAs, and the broad exceptions for public authorities by reason of public interest. Weakness in relation to the Right to be Forgotten relates to whether it will be possible to enforce, given the way the Internet works and the lack of a mandatory provision requiring third parties to comply with an individual’s request to erase data.
The Working Party most significantly welcomes the introduction of significant fines, which it believes will act as a deterrent and will contribute to a high degree of compliance by data controllers.
In relation to the Directive, the Working Party fears that the number of inconsistencies between the Regulation and the Directive will result in the two instruments not being complementary, and in the potential for the documents not to work together on core aspects, especially given that the Directive has a lower standard of protection than the Regulation.
As the new Regulation and Directive makes its way through the European parliamentary process, it will be interesting to watch whether the two instruments become one so that the overall aim of consistency is achieved, especially as the Directive governs the way in which law enforcement handles individuals’ personal data and the desire for not just corporates, but also government, to be held to the same standards.