Article 29 Working Party Releases Further Comments on EU Data Protection Reform
By Oliver Grazebrook and Ezra Steinhardt
On 27 February 2013, the Article 29 Working Party published its latest statement regarding the draft General Data Protection Regulation (the “Regulation”), which continues to undergo revision in the European Parliament and Council. (The latest European body to comment on the draft was the European Parliament's Committee on Employment and Social Affairs (EMPL), which published its opinion on the draft Regulation late last week.)
The Working Party statement stakes out the Working Party’s position on six key areas of the reform, including rules on consent, regulation of the public sector, and data transfers. The statement was also accompanied by in-depth discussions about an “exemption for personal or household activities” and about how the “one-stop shop” rules will work when a controller is processing data in multiple jurisdictions.
The Working Party’s key recommendations for each area are summarised below. As with the Working Party’s prior opinions about the Regulation, the statement generally sets out a strict viewpoint that some in industry may find restrictive. For example, the statement rejects calls for looser rules about consent and data transfers. That said, the Working Party also uses the statement to advocate for a new “risk-based” approach, in which the burden of each controller’s obligations scale in accordance with the controller’s size, the types of data, and the ways they are processed, which could help to ease the concerns of smaller businesses.
Six Areas of Recommendations
The six areas discussed in the statement are:
- Flexibility in the public sector. The Working Party argues that data protection should apply equally to both the public and private sector, in order to ensure consistent protections for data subjects and to maintain simple and workable data protection rules. This position goes directly against calls from the Irish Presidency of the European Council, which has argued that the Regulation’s rules as they would apply to the public sector should be relaxed (see our recent Inside Privacy post).
- Personal Data and Pseudonymisation. The Working Party argues that, under its interpretation of “anonymisation” and “encryption”/“pseudonymisation” -- namely, that identities are permanently disguised for anonymized data, but temporarily disguised using a reversible process for encrypted and pseudonymized data -- data protection rules should continue to apply to processing of encrypted and pseudonymized data, because identities can be recovered from such data.
- Consent. The Working Party argues that calls for explicit consent rules to be removed from the Regulation are wrong, that controllers should bear the burden of proving that valid consents have been obtained, and that consents cannot be valid as a legal basis for processing if there is a significant imbalance between the positions of the controller and data subject.
- Risk-based approach. The Working Party concedes that controller obligations should be scalable in line with the size and capabilities of the controller, but also with the risks of the data being processed and the way in which it is being processed. This new risk-based approach echoes the Council’s position (many Council members have expressed concern about possible burdens on small enterprises flowing from the Regulation, and this change may be an attempt to mitigate those concerns). (See this recent Inside Privacy post.) The Working Party suggested that risk factors that should be used to determine controller obligations should include not only the size of the controller but also the type of processing being carried out and the categories of data being collected. However, somewhat puzzlingly, the Working Party also insisted that despite this new risk-based approach, data subjects should be entitled to the same level of protection, regardless of the size of the controller or the types of data each controller possesses.
- International Transfers. The Working Party argues that non-binding instruments should not permit data transfers to countries outside the EU, and that self-assessment (i.e. making transfers in the absence of an adequacy decision by the Commission pursuant to Article 44 of the Regulation) should only enable such transfers in exceptional circumstances. The Working Party also advocates that Mutual Legal Assistance Treaties (MLATs) should always be used, on an obligatory basis, if disclosures are not already authorised by EU or Member State law, and that transfers should be prohibited if MLATs are not in place even when courts in the third country have authorised the transfer.
- Governance. The Working Party provides general guidance on how data protection authorities and the European Data Protection Board (the Working Party’s potential successor) should operate in the future. In order to operate effectively, the Working Party recommends the creation of clear rules dealing with issues such as budgets, the equality of powers between DPAs and the European Data Protection Board, and the margin of discretion for DPAs in deciding enforcement priorities.
Discussion of One-Stop Shop Rule and Personal/Household Exemption
The Working Party statement also included two annexes, that discuss the workings of the “one-stop shop” rule and the proposed exemption for personal or household activities.
- One-stop shop. The Working Party’s proposed rule would be that in cases where a controller is established in multiple Member States, the data protection authority (DPA) of the country in which the controller has its main establishment shall act as a single contact point for the controller. However, this “lead authority” would only have “non-exclusive” competence -- which means that it would need to cooperate with the DPAs of the other relevant Member States in which the controller operates. Importantly, though, any decision made by the lead DPA would be binding on all the other Member State DPAs, in order to encourage a consistent and legally certain system. In cases where the “main establishment” is disputed, or where the controller is not based in the EU but residents of Member States are affected by the processing operations, the Working Party recommends that the European Data Protection Board designate a DPA to act as lead.
- Exemption for personal/household activities. This exemption, which already exists under Article 2(2)(d) of the Data Protection Directive (95/46/EC), has expanded significantly over the years as personal blogs and social media have grown in popularity -- but the Working Party argues against the idea of extending the exemption in the Regulation to all individuals. Instead, the Working Party argues that DPAs should be given greater power to investigate “borderline cases” (where it is unclear whether or not the exemption applies), and that DPAs should also be provided with more guidance about how to determine whether or not the exemption applies in any single instance.