Out-Law / Your Daily Need-To-Know

Out-Law News 3 min. read

EU body will investigate use of pseudonymisation to reduce businesses' data protection responsibilities


A working party of officials from justice departments across the EU has been asked to explore to what extent the pseudonymisation of personal data can be used to "calibrate" businesses' obligations to data protection.

The Irish Presidency of the Council of Ministers has asked an agenda-setting body within the Council to ask the Council to formally invite the Working Party on Information Exchange and Data Protection (DAPIX) to look into the issue.

The Irish Presidency said that some EU member states have expressed opposition to "the level of prescriptiveness" of some provisions proposed by the European Commission that, if introduced, would overhaul rules on data protection in the EU. The Presidency has therefore called on DAPIX to look at whether the pseudonymisation of personal data can be a tool for reducing businesses' obligations under the new framework.

The Commission first published its draft General Data Protection Regulation last year. If backed it would introduce a single data protection law across all 27 EU member states. Since then separate scrutiny of the proposals have been taking place within the two EU organisations that would need to agree on a new framework before it could be introduced - the European Parliament and Council of Ministers.

Under the Commission's proposals it would be mandatory for organisations to conduct data protection impact assessments before conducting personal data processing activities that present "specific risks" to individuals' rights. Organisations would additionally have to seek prior authorisation from data protection authorities to proceed with processing in such cases.

However, the Irish Presidency said that "some" EU member states had raised objections with the plans. The Ministry of Justice in the UK has previously claimed that the provisions were disproportionate and overly bureaucratic and costly for businesses to adhere to.

"Some member states question the obligation to engage in prior consultation with the supervisory authority where such an [impact] assessment indicates that the proposed processing operations are indeed likely to present a high degree of specific risk," the Irish Presidency's said in its note to the Committee of Permanent Representatives (COREPER). "Processing could not then commence during the suggested consultation period."

Some member states are also pushing for rules regarding the appointment of data protection officers (DPOs) to be watered down, according to the Irish Presidency's note. Those countries oppose draft provisions which would force certain organisations, including those involved in "risky processing", to employ DPOs, and instead believe that there should be incentives for businesses to appoint DPOs on an optional basis, it said.

"Some Member States, while accepting the designation of a data protection officer in case of risky processing, nonetheless consider that designation should be optional rather than mandatory," the note said. "Moreover, some benefit in terms of lighter obligations should apply in cases where such an officer is designated. This would help to incentivise the designation of such officers."

The Irish Presidency said that a section of the Commission's draft Regulation, which sets out the responsibilities of data controllers and data processors under the proposed new regime, needs to be "further refined in order to establish criteria for distinguishing different types of risk that may entail different types of obligations on the controller" and said that this should take into account the needs of micro, small and medium-sized businesses.

It also said that there needs to be further assessment of "whether, and if so how" pseudonymisation can "can contribute to the calibrating of controllers' and processors' data protection obligations while maintaining protection levels".

DAPIX should therefore be instructed to develop criteria that can allow organisations to "distinguish risk levels" in their personal data processing "in order to calibrate the application of their data protection obligations" and also look into whether pseudonymisation can be considered "as a means of calibrating" organisations' obligations under the new framework, the Irish Presidency said.

A Committee of MEPs in the European Parliament, tasked with scrutinising the proposed data protection reforms, recently backed plans which would enable pseudonymised processing to take place without the consent of the individuals to whom the data relates. The Industry, Research and Energy Committee is one of four European Parliament committees looking into the data protection reforms. The lead committee is the one on Civil Liberties, Justice and Home Affairs (LIBE) which is due to vote on the its own report in April.

LIBE's paper, if backed, would form the basis of the Parliament's position during negotiations with the Council of Ministers. Parliament and Council negotiators will seek to agree on a single framework to put to a formal vote of the full Parliament and Ministers across the EU.

The UK's data protection watchdog, the Information Commissioner has previously said that whilst it believes pseudonymised data should be classed as 'personal data', it believes there is a case for absolving organisations from some data protection responsibilities when dealing with pseudonymised information.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.