EU DPAs: New Regulation must not lower DP standards

The EU Art. 29 DP Working Party says that the new regulatory framework should not undermine the core principles and rights established in the DP Directive. The DPAs consider that the proposal to enable controllers to process data for a purpose that is incompatible with its original purpose directly violates the purpose limitation principle. However, the DPAs agree that it should be possible for controllers to process personal data for purposes that are not incompatible, provided there is a legal basis. Further processing for archiving, scientific, statistical and historical research purposes should also remain possible.

In their common position, adopted on 17 June, the DPAs say that the general rules for data protection should be established in the Regulation, and the proposed Directive should only provide for the law enforcement sector. Any broadening of this scope of the Directive is not acceptable.

The DPAs say that compliance details do not need to be specified in the Regulation and should be issued in the form of guidance by the European Data Protection Board and by DPAs. They have not commented on the precise level of fines but say that they should be a real deterrent.

There is a session on How Experian makes legitimate interests work: A model for other sectors? by Janet Lane, Privacy Counsel, and Michael Smith, Deputy General Counsel, Experian, UK at PL&B’s 28th Annual International Conference 6-8 July.