In a letter (2-page / 24KB PDF) to Justice Commissioner Viviane Reding, the Article 29 Working Party called for an "independent in-depth assessment" of the financial implications EU data protection law reform will have on DPAs and the European Data Protection Supervisor (EDPS), as secretariat for the new European Data Protection Board (EDPB).
In January the European Commission published a draft General Data Protection Regulation (119-page / 589KB PDF) that, if enforced, would introduce a single data protection law across all 27 EU member states. Companies processing the personal data of EU citizens outside the borders of the trading bloc would also be subject to the rules.
The Working Party is a committee made up of representatives from each national DPA within the EU, and was set up under Article 29 of the existing Data Protection Directive. It will be replaced by the EDPB if the draft Regulation is approved."
To empower DPAs and the EDPB to effectively carry out their duties, including mutual assistance and cooperation within the consistency mechanism, Member States must be committed to provide the necessary financial, human and technical resources," Working Party chairman Jacob Kohnstamm said in the letter. "Without these there is a risk that DPAs will not be able to cope with the demands on them and will act as an impediment to rather than an enabler of the innovation and growth that you are seeking to promote."
If member states and the Commission are not prepared to commit to the cost of providing the necessary resources, the Working Party said, then the Commission should "scale back" those duties it considers less of a priority or that do not provide "the best 'value for money' in terms of privacy protection".
Under the draft Regulation DPAs would be responsible for regulating companies that have their "main establishment" in that country. 'Main establishment' refers to the premises in which companies in control of personal data take their main decisions around the purposes of personal data processing or, if companies take those decisions outside of the EU, the "place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place", according to the draft.
DPAs are required to provide one another with "mutual assistance" under the proposed new regulatory regime so that the laws will be applied consistently in different countries. If individuals in more than one member state are likely to be affected by decisions taken by one authority, other authorities in those countries have the right to participate in joint operations.
In its official opinion (32-page / 149KB PDF) on the new Regulation, published at the end of last month, the Working Party said that the new rules should include a "general obligation" to "anonymise or pseudonymise" personal data when processing information where it is "feasible and proportionate" to do so.