Monday, March 12, 2012

EDPS opinion on the data protection reform package

The European Data Protection Supervisor (EDPS), Peter Hustinx, last week issued his opinion on the European Commission's data protection reform package. The Commission announced proposed changes to EU data protection rules in January, including a proposal for a Directive covering data protection in law enforcement. He is impressed with the intent of the new general data protection rules and simultaneously "seriously disappointed" (code for "appalled") at the carving out of a special anything goes directive for law enforcement. There is a decent summary of the opinion in the associated press release.
"On the package, Peter Hustinx, EDPS, says: "The proposed Regulation constitutes a huge step forward for the right to data protection in Europe. However, we are unfortunately still far from a comprehensive set of data protection rules on national and EU level in all areas of EU policy. The proposals are disappointing in the law enforcement area, and they leave many existing EU data protection instruments untouched, such as the data protection rules for the EU institutions and bodies and also all the specific law enforcement instruments...
"The proposed rules for data protection in the law enforcement area are unacceptably weak. In many instances there is no justification whatsoever for departing from the rules provided in the proposed Regulation. The law enforcement area requires some specific rules, but not a general lowering of the level of data protection."
The EDPS is concerned in particular with regard to:
  • the lack of legal certainty about the further use of personal data by law enforcement authorities;
  • the lack of a general duty for law enforcement authorities to demonstrate compliance with data 
  • protection requirements; 
  • the weak conditions for transfers to third countries; 
  • the unduly limited powers of supervisory authorities. "
In relation to new general Regulation on data protection he also has some specific concerns on the details:
  • the possibilities for restricting basic principles and rights;
  • the possible derogation for transferring data to third countries;
  • the excessive powers granted to the Commission in the mechanism designed to ensure
  • consistency among supervisory authorities;
  • the new ground for exceptions to the purpose limitation principle.
As usual with Mr Hustinx it is a thoughtful comprehensive opinion and whereas I don't expect many but privacy anoraks to read and inwardly digest the full 85 pages, the two page executive summary should be compulsory reading for all EU citizens.  Expect the Commission to liberally use and abuse that description of the proposed regulation as "a huge step forward for data protection in Europe" whilst simultaneously ignoring and engaging significant energies to circumvent the serious concerns raised in the opinion.

No comments: