Update on EU Data Protection Reform Proposals (17 April 2012)
The Article 29 Working Party has issued its Opinion on the draft EU Data Protection Regulation. The Working Party (which consists of representatives from the Data Protection Authority (DPA) of each EU Member State, the European Data Protection Supervisor and the EU Commission) welcomes the proposals, but notes that parts of the Regulation need clarification and improvement.
With regard to the positive aspects of the Regulation, in brief, the Working Party states that:
- For individuals, the Regulation strengthens their rights by providing for greater transparency, strengthened right to data access, strengthened right to object, right to data portability, strengthened right to data deletion ('right to be forgotten'), and strengthened right to redress both through the DPA and the courts.
- For data controllers, the Regulation brings greater consistency, through privacy impact assessments, appointment of a Data Protection Officer, data breach notification duties and the adoption of a precautionary approach to international transfers.
- For data processors, the Regulation introduces an obligation to take on the responsibility of controller for a specific data processing operation if the processor goes beyond the instructions of a controller regarding that processing operation (relevant to 'cloud' providers).
- For DPAs, the Regulation provides for strengthened independence and powers, including administrative fines, and the obligation to be consulted on legislative measures.
The Working Party suggest a number of improvements to the Regulation, such as clarification that data subjects with a complaint should initially address the DPA within the jurisdiction where they reside, or the DPA where the data controller or processor has an establishment. The Regulation currently includes several possibilities for data subjects to exercise their rights and seek justice, which might lead to confusion and uncertainty.
It is recommended that DPAs should have a margin of discretion in deciding when to impose a fine, rather than being obligated to impose them in situations prescribed in the Regulation.
The Working Party suggest amending the way in which the data breach notification duty is set up by instead introducing a two-step notification approach. Notification of the breach by the controller should occur within 24 hours after becoming aware of the breach, with a further opportunity to notify any information which cannot be provided within the 24 hour limit. This should help ensure timely notification.
The Working Party note that recital 24, concerning the definition of personal data, provides that "identification numbers, location data, online identifiers, or other specific factors as such need not necessarily be considered as personal data in all circumstances". It is suggested that this definition might lead to an unduly restrictive interpretation of the notion of personal data, in relation for instance to IP addresses and cookie IDs. Accordingly it is recommended that this definition is amended to ensure IP addresses and cookie IDs are considered as 'personal data'.
The Working Party note that the manner in which it is decided where a multinational company (whether EU-owned or non-EU owned) has its main establishment needs to be further clarified, including where it has separate legal entities operating in different sectors.
Further, the Regulation provides that it applies to the processing of personal data of data subjects residing in the EU by a controller that is not established in the EU, where the processing activities are related to the offering of goods and services to such data subjects in EU or the monitoring of their behaviour. The Working Party opines that further clarification is needed in regard to what is meant by both 'offering of goods and services' and 'monitoring of their behaviour'.
For a link to the full Opinion, please click here.
Should you have any query on any aspect of this note at any time, please do not hesitate to contact Davinia Brennan at email@example.com or your usual contact at A&L Goodbody.
Date published: 17 April 2012