This post was written by Cynthia O’Donoghue.
The Article 29 Working Party (“Art. 29 WP”), which has already released two opinions (WP191 and WP199) regarding the draft General Data Protection Regulation (“Regulation”), issued a statement and two accompanying annexes addressing some of the most heavily debated elements. This statement addresses relaxation of rules for the public sector, a one-stop-shop for data controllers, the pseudonymisation of data, the standard of consent, cross-border transfers, a risk-based approach, and the household exemption. Many of the views expressed by the Working Party appear to be in direct opposition to a number of observations made by other organisations, such as ITRE (see also our blog and client alert regarding the ITRE’s opinion.
The Art. 29 WP vehemently opposes the concept that the public sector should have a different regulatory regime for data protection from that of the private sector, on the basis that data protection is a fundamental right that is not affected by the status of the data controller being a public body.
The Art. 29 WP seeks the inclusion of pseudonymised and encrypted data with the scope of ‘personal data’ on the basis that they are security techniques that do not change the inherently personal nature of the data.
The Art. 29 WP discourages removing the requirement for explicit consent because it is both essential to ensure that consent is not misused by data controllers, and goes to the heart of proving the validity of consent. It also expressed support for consent being invalid when obtained where there is a significant imbalance of power.
Permitting cross-border data transfers without the need for a binding mechanism was rejected by the Art. 29 WP. The Art. 29 WP’s statement advocated the introduction of Mutual Legal Assistance Treaties (“MLATs”) to govern disclosures of data not otherwise authorized under EU or EU member states’ national laws, where such disclosures would be based on important grounds of public interest. Without such MLATs, data controllers would continue to be prohibited from transferring data outside EU even when subject to the court order of a third country.
The Art. 29 WP supports a risk-based and scalable approach to data protection, with risk depending not only on the size of the controller, but also on the nature and categories of the data being processed.
In relation to the household exemption, commonly relied upon by organisations that ask members or users to add their contacts, such as social media, the Art. 29 WP recommended removing the exemption when its use would result in gainful interest connected with a commercial activity.
This statement will be weighed by the LIBE Committee as part of determining which of the more than 3,000 suggested amendments to incorporate into the Regulation; but given that the Art. 29 WP is made up of the 27 EU member states’ data protection authorities, the Art. 29 WP statement is likely to be influential.