In an official opinion (8-page / 761KB PDF) the European Economic and Social Committee (EESC), which represents economic and social interest groups across the 27-state bloc, said that the Commission's approach to reform needed to be "more in line with the needs and expectations of the public".
In addition, it said, it was concerned about the "excessive" number of exceptions and restrictions to the general right to protection of personal data contained in the Commission's proposals.
"[T]he proposal could have gone further in increasing the protection offered by certain rights that have been rendered almost void of content by a multitude of exceptions and limitations and ... established a better balance between the rights of the various parties concerned," it said. "There is therefore a risk of an imbalance between the aims of the fundamental right to data protection and those of the single market, to the detriment of the former."
It added that in order to conform with what data subjects expected from a data protection law, the rules should be "applied more systematically to certain fields of economic and social activity", including direct marketing, e-commerce, employment relationships and surveillance. In addition, data provided "voluntarily" by individuals on social networks should not be excluded from protection, as could be inferred from the current draft.
The EESC is a consultative assembly made up of interest groups representing employers, employees and various other interests. It must be consulted on certain issues set out in the European treaties - including on matters of social policy, social and economic cohesion, environment, education, health and consumer protection - as well as in all cases where the European institutions deem it appropriate.
Proposed by the European Commission in January the draft General Data Protection Regulation would, if enacted, introduce a single data protection law across all 27 EU member states. Companies that process personal data of EU citizens from outside the borders of the trading bloc would also be subject to the rules. The changes are necessary, the Commission has said, to update the current "fragmented" European data protection regime and bring the existing rules up to date with advances in technology.
In its opinion, the EESC said that search engines should be expressly included within the scope of the law as "the majority" of their revenue comes from targeted advertising as a result of the data they hold on visitors to their sites.
"The same should go for the sites of servers providing storage space and, in some cases, cloud computing software that can collect data on users for commercial ends," the EESC said in its opinion. "The same should also apply to personal information published on social networks which, in accordance with the right to be forgotten, should allow data subjects to modify or erase such information or to request the deletion of their personal pages as well as links to other high-traffic sites where that information is reproduced or discussed."
The EESC questioned the extent to which the draft Regulation as it stood protected against the risk of "profiling" individuals without their consent. The Regulation as drafted does not define the term, which is generally refers to treating data subjects in a certain way based on an assumptions about their behaviour and preferences, however it prohibits "automated" profiling techniques. The EESC said that this prohibition should not be limited to automated processing.
The report also expressed concern about the scope given to the Commission to pass further changes in the form of 'delegated acts'. Delegations appear "almost everywhere" in the Regulation, the EESC said, and cover "crucial aspects of the legal instrument".
European lawmakers can give the Commission the power to supplement or amend certain "non-essential" elements of the law. The EESC said that the Regulation contained 26 delegations, the scope of which went "far beyond the limits" laid out in the EU Treaty. This had, it said, "consequences for the instrument's legal security and certainty".
The group was also divided on whether the changes should be introduced in the form of a regulation, which is directly applicable to member states, or a directive which must instead be transposed into national laws. This position, it said, reflected that of member states, particularly those in which a higher level of protection is already given to personal data than set out in the Commission's proposals.
Last week it emerged that the UK Government was also in favour of implementing changes to the current regime in the form of a Directive rather than a Regulation. Doing so would give EU member states greater "flexibility" over how to implement the reforms than is currently planned, the Government said, according to a leaked document (170-page / 606KB PDF) obtained by Statewatch.
If the Commission intended to press ahead with a regulation, the EESC said, it must amend its proposals to ensure "consistency between the translations into all languages".