Out-Law News 2 min. read
08 Mar 2012, 2:55 pm
However the Commission's separate proposals which will apply specifically to police and justice are "unacceptably weak" and should not involve such a big departure from the general rules, according to the European Data Protection Supervisor (EDPS).
"The proposals are disappointing in the law enforcement area, and they leave many existing EU data protection instruments untouched, such as the data protection rules for the EU institutions and bodies and also all the specific law enforcement instruments. We are unfortunately still far from a comprehensive set of data protection rules on national and EU level in all areas of EU policy," said EDPS Peter Hustinx.
In an 85-page opinion (85-page /), Hustinx outlined his general support for the new General Data Protection Regulation, published earlier this year, which aims to replace the 1995 EU Data Protection Directive with a single directly applicable data protection law across all 27 EU member states.
By laying out the changes in the form of a Regulation, which will directly supersede national law in every member state, the new law will do away with "many complexities and inconsistencies" between the current national regimes. The rules will also strengthen the rights of individuals and the role and powers of national supervisory authorities, the opinion said.
Compulsory mechanisms which will be introduced under the Regulation including impact assessments, mandatory data protection officers and documentation on processing will make data controllers more accountable for how they handle personal data, it said.
However, the EDPS pointed out that exceptions to the regulation could restrict the application of basic principles and rights as well as including too many derogations and exceptions on data transfers to non-EU countries.
The conditions under which data could be transferred to third party countries were even weaker under the separate directive which covered law enforcement activities, he said.
"In many instances there is no justification whatsoever for departing from the rules provided in the proposed Regulation. The law enforcement area requires some specific rules, but not a general lowering of the level of data protection," Hustinx said.
"The Commission has not lived up to its promises to ensure a robust system for police and justice. These are areas where the use of personal information inevitably has an enormous impact on the lives of private individuals," he added.
In his opinion, he highlighted the lack of legal certainty about conditions under which law enforcement officials may be able to make further use of personal data. He also questioned the lack of a "general duty" for law enforcement authorities to demonstrate compliance with data protection requirements.
A call for evidence issued by the UK Government to help it shape its negotiating strategy when discussing the proposals with other EU member states closed earlier this week. The Ministry of Justice is due to publish a summary of the responses received in June.
Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, previously expressed concern about the impact the new laws could have on businesses. Medium sized companies would "baulk" at having to employ a data protection officer even if they did not process much personal data under a provision that makes such an appointment mandatory for companies with more than 250 employees, he said
Dautlich said that a rule giving organisations only 24 hours to report data breaches gave organisations an insufficient amount of time to assess the impact of breaches and recommend effective remedies to customers.
