Out-Law News 7 min. read

Individuals should generally not be identifiable when their personal data is being processed, privacy watchdog says


Organisations should be required to "anonymise or pseudonymise" personal data when processing the information if it is "feasible and proportionate" to do so, an EU privacy watchdog has said.

The Article 29 Working Party said the "general obligation" should be included as part of reforms to EU data protection laws.

The Working Party, which is a committee made up of representatives from each of the EU national data protection authorities (DPAs), issued the recommendation as part of its wider published opinion (32-page / 149KB PDF) on the European Commission's proposed General Data Protection Regulation.

"The Working Party believes that the concept of pseudonymisation should be introduced more explicitly in the instrument (for example by including a definition on pseudonymised data, consistent with the definition of personal data), as it can help to achieve better data protection, for example, in the context of data protection by design and default," it said.

"The Working Party therefore suggests introducing a general obligation to anonymise or pseudonymise personal data where feasible and proportionate according to the purpose of processing. Such a principle could be introduced [as part of rules on the principles of personal data processing] and in the context of data protection by design and default," the group said.

In January the Commission published a draft General Data Protection Regulation that, if enforced, would introduce a single data protection law across all 27 EU member states. Companies whose processing of the personal data of EU citizens takes place outside the borders of the trading bloc would also be subject to the rules.

The Working Party generally welcomed the Commission's plans and said it would help deliver "a more harmonised application of the law" as well as a strengthening of individuals' rights, including "greater control" over how their personal data is processed.

However, the watchdog raised a number of concerns with the proposals.

The Working Party said data protection authorities should not be obliged to issue fines for breaches of the Regulation. The current wording drafted states that the regulators "shall" impose fines, but that power should be "discretionary", the watchdog said.

The right to compensation for damages suffered as a result of a breach of the Regulation as currently drafted was generally welcomed by the Working Party but it said that right should also apply in relation to distress suffered.

Organisations should not be able to transfer personal data to a "third country or international organisation" outside the European Economic Area unless it is done via a "legally binding instrument", according to the Working Party. Wording that would allow non-binding transfers to be agreed with regulators should be removed from the draft text, it said.

The Working Party also said it had concerns about how rules around regulatory responsibility had been drafted.

Under the draft Regulation DPAs would be responsible for regulating companies that have their "main establishment" in that country. 'Main establishment' refers to the premises in which companies in control of personal data take their main decisions around the purposes of personal data processing or if companies take those decisions outside of the EU "the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place," the draft said.

Under the proposed new regulatory regime authorities are required to provide one another with "mutual assistance" so as not to inconsistently apply the laws in different countries. If individuals in more than one member state are likely to be affected by decisions taken by one authority, other authorities in those countries have the right to participate in joint operations. Only the authorities in countries where the organisations have their "main establishment" will take regulatory action, unless the authority confers power to a sister regulator in another state.

Authorities must communicate proposed measures they intend to take following regulatory investigations to a new independent European Data Protection Board. The Board will replace the Article 29 Working Party.

However, the Working Party said the proposals needed to be better "clarified" to determine when data protection authorities (DPAs) are responsible for taking regulatory action.

"The definition of main establishment seems primarily intended to determine which national DPA should be the lead DPA in a particular case, or for a particular company," it said. "A clear understanding of the term ‘main establishment’ is crucial, as it is decisive for determining the lead authority ... where processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State."

If the 'main establishment' of businesses cannot be determined, or if those businesses are based outside of the EU, then set criteria should be established to assess which DPA is regulatory responsible in those case, the watchdog said.

"[The criteria] could include: the Member State in which the main processing activities in question are taking place; the Member State in which individuals are affected; the Member State in which individuals have specifically complained to or raised concerns with the DPA," the Working Party said. "It is clear that there may be several Member States for any of the abovementioned criteria."

"However, on the basis of these criteria the relevant DPAs should agree amongst themselves who should take on the responsibility of being lead. In cases where it is not obvious, or where there is no agreement, the EDPB should decide upon the lead, based on the same criteria," it said.

Consumers should be able to take complaints about organisations' compliance with the Regulation to the authority based in their own country, the Working Party said. Those bodies would then be responsible for coordinating with counterparts based in the country where the organisation has its 'main establishment'.

"Notwithstanding the right to a judicial remedy, the Working Party suggests to clarify that data subjects shall in principle address the DPA within the jurisdiction where they reside or the DPA where the data controller or processor has an establishment," it said. "In order to be able to respond to the data subject, the addressed DPA in this Member State would have to cooperate with the DPA of the main establishment of the controller (the lead DPA) in order to agree on necessary measures to investigate and in certain cases to take enforcement action."

"The DPA initially addressed will however in all circumstances remain responsible for responding to the data subject," the Working Party said.

The Working Party raised concerns with the draft rules on data breach notifications and said that "the duty to notify to the supervisory authority should be more focused and restricted" than is currently planned. "The situation that supervisory authorities are distracted by and overburdened with the processing of notifications of minor data breaches which are unlikely to adversely affect the rights of data subjects should be avoided," it said.

The Regulation would require companies to notify any individuals concerned and regulators with certain information about any data breach "without delay and, where feasible, not later than 24 hours after having become aware of it". The information should include recommendations over what people can do to "mitigate the possible adverse effects of the personal data breach".

Under the plans regulators will have the power to fine businesses up to 2% of their annual global turnover for failing to notify breaches or for other serious breaches of the Regulation.

Problems with how proposals to introduce individuals' 'right to be forgotten' have been drafted and the "reality of how the internet works" means the right would be limited in its "effectiveness", the Working Party said.

Under the proposed new regime individuals will be given a right that generally enables them to force organisations to delete personal data stored about them "without delay". Organisations that have made the data public will be liable for the data published by third parties and will be required to "take all reasonable steps, including technical measures" to inform them to delete the information.

Organisations will be able to oppose the deletion of information if they can show they have a right to publish the data under the fundamental principle of freedom of expression or if it is in the public interest for the data to remain in existence.

"The controller is responsible not only for the erasure of data but also for informing third parties that are processing this data by means of links, copies or replications of the request of the data subject," the watchdog said. "Placing this obligation only on the controller has limitations, as there may be cases where the controller has taken all reasonable steps to inform third parties, but is not aware of all existing copies or replications or when new copies or replications appear once the controller has informed all known third parties."

"More importantly, no provision in the Regulation seems to make it mandatory for third parties to comply with the data subject’s request, unless they are also considered as controllers," it said.

The Regulation also does contain a "mechanism" for "the deletion of links to, copies or replications of data which is not erased" meaning that access to original content could still be facilitated.

Parts of the Regulation that exempt public authorities from having to comply with some of the rules are too "broad and unspecified," the Working Party said. The exemptions are "unjustified" because they "lack adequate safeguards for the protection of individuals". Specific "public interests" should be listed to limit when the exemptions can be relied upon, it said.

The Working Party also said it "has serious reservations" about the European Commission's plans for a number of "delegated and implementing acts" to flesh out the detail of how some of the Regulation rules would work in practice.

"The adoption of delegated or implementing acts for a large numbers of articles may take several years and could represent legal uncertainty for the controllers and processors which expect implementation and concrete guidelines rapidly," the Working Party said. "At the very least the Working Party calls on the Commission to set out which delegated and implementing acts it intends to adopt in the short, medium and long term."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.