European Data Protection Supervisor gives his Opinion on the EU DP Trilogue negotiations via a new app

Today, Giovanni Buttarelli, European Data Protection Supervisor, followed up his announcement on 7th July at PL&B’s 28th Annual International Conference by launching an app which not only gives his Opinion on the Trilogue negotiations but also provides it alongside the positions of the three parties, the European Commission, the European Parliament and the EU Council of Ministers.

The Opinion, titled, Europe’s big opportunity, starts by explaining its legal remit to give advice to the Trilogue in reaching “the right consensus on time.” This Opinion is in line with that published on 17th June by the EU Art 29 DP Working Party, of which it is a full member. The Opinion states: “the time is now to safeguard individuals’ fundamental rights and freedoms in the data-driven society of the future.”

“The EU must aim to be selective, focus on the provisions which are really necessary and avoid detail which as an unintended consequence might unduly interfere with future technologies.”

The EDPS has three main concerns:

  • “a better deal for citizens,
  • rules which will work in practice,
  • rules which will last a generation.”

Under the heading that all data processing must be both lawful and justified, it states that the EU “should preserve, simplify and operationalise the established notion that personal data should only be used in ways compatible with the original purposes for collection.”

In a challenge to one of the legal bases for processing personal data of the current EU DP Directive, it states: “We strongly advise against permitting transfers on the basis of legitimate interests of the controller because of the insufficient protection for individual.”

The Opinion revives collective action, one of the protections for individuals rather neglected since the early drafts of the Regulation: “Individual rights enforcement requires an effective system of liability and compensation for damage caused by the unlawful data processing. Given the clear obstacles to obtaining redress in practice, individuals should be able to be represented by bodies, organisations and associations in legal proceedings.”

If companies may be concerned by this statement, fearing explicit recognition of civil law/private law group action, they will be encouraged by other elements of the EDPS’s position:

  • opposing excessive regulatory detail or “attempts at micromanagement of business processes risks becoming outdated..”
  • moving on from existing procedures where necessary “our recommendations aim to identify ways of de-bureaucratising, minimising the prescriptions for documentation and irrelevant formalities….”
  • providing room for manoeuvre “for companies, public authorities or data protection authorities: a space that must be filled by accountability and guidance from data protection authorities.”
  • recommending data protection impact assessments “only where the rights and freedoms of data subjects are at risk” and
  • supporting industry initiatives, “Binding Corporate Rules or privacy seals, should be actively encouraged.”

The Opinion concludes by referencing the February 2015 edition of Privacy Laws & Business International Report as its source when stating “Now over 100 countries across the world have data protection laws and less than half of these are European countries.” It then continues to recognise the EU’s influence beyond the region in that “the EU nevertheless continues to command the close attention of countries who are considering establishing or revising their legal frameworks.”