European Data Protection Supervisor (EDPS) Peter Hustinx said the results of a recent survey into the way EU bodies comply with data protection laws had revealed shortcomings in compliance. A number of "benchmarks" have subsequently been established that set out the standards expected of the bodies.
"I am concerned that not all EU institutions and bodies are performing as well as they should," Hustinx said in a statement. "Implementation of data protection principles is not only a matter of time and resources, but also of organisational will. Ensuring compliance is a process that requires the commitment and support of the hierarchy in all institutions and bodies."
EU institutions and bodies, such as the European Commission, European Court of Justice and the Office of Harmonisation in the Internal Market, are subject to separate rules on data protection from other organisations in the trading bloc. The EU's Data Protection Regulation sets out the rules EU institutions and bodies must adhere to.
Under the Regulation the bodies are required to inform their dedicated data protection officer (DPO) about any personal data "processing operation" prior to it starting. The notification should include certain information, such as the name and address of the body that would be responsible for the processing, the purpose of the processing and its legal basis. All EU bodies and institutions are required to have a DPO that is supposed to be an independent monitor of data protection compliance and must keep a "register" of the processing operations the bodies carry out.
Hustinx said most of the organisations had adopted rules that set out "the tasks, duties and powers" of the DPO.
The EDPS said that whilst many of the 58 EU institutions and bodies are keeping "excellent" notification records some, including the European Aviation Safety Agency (EASA), do not.
Under the Regulation EU bodies and institutions are also required to obtain prior approval to personal data processing from the EDPS if the proposed processing is "likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes".
Processing data containing health records, information about criminal convictions or security measures are among the categories of data likely to pose specific risks to those rights, the Regulation states.
Hustinx said that some bodies had failed to identify personal data processing procedures as being risky and had therefore not notified him about the operations for prior checking.
Hustinx also said he plans to communicate directly with senior officials at EU bodies and institutions after reporting that they should be responsible for ensuring recommendations he issues are followed up on. Hustinx said it was not the responsibility of the DPOs to ensure recommendations were implemented, claiming that this had been the view expressed by EU bodies and institutions.
"The EDPS takes the view that mechanisms improving accountability of the body should be developed; in particular concerning the implementation of EDPS' recommendations. The DPO should not be considered as the person in charge of the implementation of the recommendations," Hustinx said in his report (21-page / 81KB PDF) into how the EU institutions and bodies are complying with data protection law.
"To this end, the EDPS plans to develop his practice towards direct communication with the person responsible for the processing operation. In the near future, the EDPS will address directly to the hierarchy - if necessary at the highest level - questions concerning follow up that have been pending for a long time. This change in communication should further develop the data protection culture within institutions and bodies," he said.
Some newly established EU bodies are still "in the process" of appointing DPOs whilst the European Centre for Disease Prevention and Control (ECDC) has still to replace the officer that left last year, Hustinx said. The ECDC will be subject to enforcement action "in the very near future" because the lack of DPO is blocking the "compliance mechanism" of the organisation, he said. The EDPS has the power to ban all personal data processing at EU bodies that fail to comply with the Regulation, whilst individual officials can face disciplinary action for their own "negligence" in failing to comply with the legislation.
Hustinx set the EU institutions and bodies different "benchmarks" to improve on their compliance with the Regulation. All the organisations must install a DPO, whilst those bodies established just last year are also required to submit "implementing rules" around the DPO's job to Hustinx for consultation or adoption.
More established institutions - including the European Commission and European Parliament – have been handed stricter compliance requirements. They must prior notify the EDPS of all particular risky processing projects they plan to enter into and ensure that they inform their DPO of at least 85% of all personal data processing operations.
Hustinx plans to visit five EU bodies during this year, including EASA and ECDC, to set out "roadmaps" to better compliance.
"The presence of a DPO and his/her resolute action is a key factor for implementing the Regulation. At the same time and without prejudice to the DPO's responsibility, the accountability of the institution or body for adequate compliance with data protection should be reinforced. The EDPS has a role to play in emphasising and if necessary enforcing this accountability," the EDPS' report said.