Out-Law News 2 min. read
28 Jul 2015, 8:13 am
The European Data Protection Supervisor (EDPS) has made recommendations which would streamline many of the draft provisions being considered by EU law makers as they negotiate a new General Data Protection Regulation.
Among the recommendations (520-page / 2.68MB PDF) are proposals to simplify planned new rules on data protection impact assessments and the reporting of data breaches to regulators and affected consumers.
EDPS Giovanni Buttarelli said provisions should only be written into new data protection legislation if "genuinely necessary". Guidance from data protection authorities could provide the detail on how the laws should be interpreted in practice, he said.
"Excessive detail or attempts at micromanagement of business processes risks becoming outdated in the future," Buttarelli said in a new opinion (12-page / 1.30MB PDF) published by his office. "Here we may take a leaf from the EU's competition manual, where a relatively limited body of secondary legislation is rigorously enforced and encourages a culture of accountability and awareness among undertakings."
"Existing procedures are not sacrosanct: our recommendations aim to identify ways of de-bureaucratising, minimising the prescriptions for documentation and irrelevant formalities," he said.
Buttarelli said the final Regulation should allow data protection authorities the freedom to serve fines of up to €100 million or 5% of a business' annual global turnover, whichever is highest, where those companies breach the new rules. EU governments have given their support to a more complicated sanctions regime where the maximum penalty that could be issued would be a fine of up to 2% of turnover.
Buttarelli's recommendations, if introduced, would also force certain organisations to appoint a data protection officer (DPO), which runs contrary to the proposals backed by most national governments in the EU. Organisations involved in data processing that implies "regular or systematic monitoring of data subjects or a high level of risk" to people's privacy should appoint a DPO, and so should public bodies, according to Buttarelli's proposals.
The EDPS' proposals, if adopted, would also establish in law factors for determining whether the purposes of organisations' personal data processing accords with the purposes for which they have collected that data. One factor that businesses would have to give account to under the plans would be the context in which they have collected data about people and those individuals' "reasonable expectations" on data use.
Buttarelli also said that he is opposed to proposals which would allow businesses to transfer personal data from the EU to other countries where they have a legitimate interest in doing so and where that interest is not overridden by privacy rights.
The draft text backed by most EU governments would permit businesses to proceed with data transfers which are "not large scale or frequent" where it is "necessary for the purposes of the legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced suitable safeguards with respect to the protection of personal data".
Buttarelli also wants the new Regulation to give greater freedom to health bodies and medical researchers to retain personal health data for "scientific, statistical or historical purposes" for "longer periods than would have been necessary for the other purposes for which the data have been processed", providing privacy safeguards have been adhered to.