In a speech earlier this week, Viviane Reding told representatives of EU data protection authorities that 'delegated acts', which have been criticised for being undemocratic, could provide data protection watchdogs with an opportunity to influence laws more directly than before.
Reding said that concerns over how the "delegated acts provisions" would impact on the "powers and scope" data protection authorities would have to interpret EU law were misplaced.
"Delegated acts are not, as some very misinformed (or misinforming?) lobbyists say, an undemocratic procedure that would allow for a power grab by the Commission," she said. "On the contrary: delegated acts were deliberately created to allow for a process to adjust non-essential elements of EU legislation to new developments, and to do this under the full control of the Parliament and the Council."
"Delegated acts thus end the secretive way of technical legislation being drafted by bureaucratic committees behind closed doors. They bring the process out in the open, as it should be in our European democracy ... I would like to reassure you that the Commission will of course always consult broadly before making proposals for delegated acts. We will need your expertise in the legislative process as well as in the process of delegated acts," Reding said.
Reding also said that reforms to the EU data protection regime, as currently drafted, would provide the bodies with a chance to shape the detail of the new laws.
"Such opinions of the Working Party on how to interpret data protection rules vis à-vis a new service or a new technology will be needed more than ever after the reform enters into force," Reding said. "Your opinion will be even more pertinent in the light of the new consistency mechanism, in which a strengthened Working Party will play a key role as you know."
"And your opinion will have more weight after the reform. Because once given, your opinion can find its way into the actual legislative texts by means of a delegated act – if Commission, Parliament and Council agree to make your opinion a binding rule. I personally believe that making Article 29 Working Party opinions binding could in many instances be an excellent way for further developing data protection EU law without always starting again a full-fledged legislative reform," she said.
The Article 29 is a committee made up of representatives from each of the EU national data protection authorities and includes representation from the UK's Information Commissioner's Office (ICO).
In January the European Commission set out plans to replace the 1995 EU Data Protection Directive with a new General Data Protection Regulation. If enforced it would introduce a single data protection law across all 27 EU member states, in contrast to the Directive, which does not require word-for-word implementation into national law.
The text allows the Commission to draft a series of "implementing" or "delegating" acts to provide more detail on the precise workings of some of the draft measures.
In an opinion on the draft data protection reforms published in March, the Article 29 Working Party said it "has serious reservations" about the European Commission's plans for a number of "delegated and implementing acts" to flesh out the detail of how some of the Regulation rules would work in practice.
"The adoption of delegated or implementing acts for a large numbers of articles may take several years and could represent legal uncertainty for the controllers and processors which expect implementation and concrete guidelines rapidly," the privacy watchdog said at the time. "At the very least the Working Party calls on the Commission to set out which delegated and implementing acts it intends to adopt in the short, medium and long term."
The Commission's draft Regulation outlines a new framework for the enforcement of the data protection regime by data protection authorities.
"Supervisory authorities" will be responsible for regulating companies that have their "main establishment" in that country. 'Main establishment' refers to the premises in which companies in control of personal data take their main decisions around the purposes of personal data processing. If companies take those decisions outside of the EU "the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place," according to the draft. In the case of specified processors of personal data, their main establishment is said to be "the place of its central administration" within the EU.
Under the proposed new regulatory regime the authorities are required to provide one another with "mutual assistance" so as not to inconsistently apply the laws in different countries. If individuals in more than one member state are likely to be affected by decisions taken by one authority, other authorities in those countries would have the right to participate in joint operations. Only the authorities in countries where the organisations have their "main establishment" would take regulatory action, unless the authority confers power to a sister regulator in another state.
Data protection authorities communicate proposed measures they intend to take following regulatory investigations to a new independent European Data Protection Board. It is planned that the Board would replace the Article 29 Working Party.
The Board would provide regulatory oversight and will be made up by the head of each EU member state's data protection authority and the European Data Protection Supervisor. The Board, Commission and individual authorities will be able to request that proposed regulatory action is subject to a consistency check to ensure the laws are being applied the same way across the EU.
In her speech Reding said the planned "consistency mechanism" would ensure decisions on data protection matters "carry more weight" and that it would "strengthen" the "independence" of data protection authorities from Government influence. Reding said the Commission's involvement in data protection regulation, as allowed for under the terms of its proposals, would be limited.
"The Commission's role in the consistency mechanism is clear: a possible intervention is a measure of last resort," the Commissioner said. "The Commission is there as a backstop. Its power to suspend a decision of a data protection authority is limited to cases where conformity with EU law is doubtful, or where there is a risk of an inconsistent application of our data protection rules."
"Similar mechanisms exist in other policy areas for example the telecoms sector, and these have worked well. In the best of worlds, we would therefore quite happily leave it to the new European Data Protection Board (the strengthened Working Party 29) to issue opinions on data protection matters affecting individuals in different Member States. And to ensure that such matters are dealt with in a consistent manner throughout the entire European Union, in the interest of citizens and businesses," she said.
"The Commission has no intention of becoming a 'super-data protection authority'. This is not our job, and it cannot be our job. The deliberation and determination of individual cases is for the data protection authorities, not for the Commission. But we all know that individual cases may well raise important general questions about the way the rules operate or have been intended to operate. They may also highlight consistency problems that – with the best will in the world – the European Data Protection Board cannot resolve," Reding said.
To help address concerns about funding shortfalls for data protection authorities operating under the proposed new regime, Reding said she hoped new "objective guidelines for an ideal, effective, financially independent national data protection authority" can be developed by next summer.
Reding added that she also hopes to have political agreement on changes to the EU's data protection framework by summer 2013.