On March 15, Peter Hustinx, the European Data Protection Supervisor, sent a comment letter to the European Parliament expressing his opposition to a number of the amendments suggested by Parliament lawmakers to the European Commission’s draft data protection Regulation. The regulation is intended to update the EU’s 1995 Data Protection Directive 95/46/EC.
Over 3,000 amendments have been proposed to the draft Regulation since it was first introduced in early 2012. Hustinx’s letter raised a number of issues regarding the proposed amendments, including:
- The amendments regarding the definition of “anonymous data” and “pseudonymous data” should be fully consistent with the definition of “personal data,” and should not result in removing certain categories of data from the scope of the Regulation where it is not clear that such data has been fully anonymized.
- Since pseudonymized data still allows the data controller to link the data back to an individual, such data should continue to fall within the scope of the Regulation.
- The definition of “personal data” should continue to focus on whether the data can identify an individual, and Hustinx noted that the ability to identify individuals has increased significantly with new technology.
- The number of exceptions to the scope of the Regulation for specific sectors or processing situations (e.g., the financial sector or employment context) should be limited given the exceptions for specific processing purposes that are already contained in the Regulation.
- The territorial scope of the Regulation should not be narrowed to apply only to individuals “residing in the EU” given that this would deprive large numbers of individuals protected by the existing Directive (e.g., tourists and processing activities conducted in the EU on data subjects residing abroad) of the protections afforded by the Regulation.
- The concept of “explicit consent” should be maintained and should not be revised to imply that inaction or silence could create consent.
- No amendments should lessen the level of accountability required of data processors.
However, his letter did support certain proposed amendments, such as those aimed at: extending the scope of BCRs to apply to external subcontractors; addressing the cases where a request from a foreign judge requires a controller or processor in the EU to transfer personal data; providing for a “one-stop-shop” for controllers without granting exclusive competence to one “lead” data protection authority; and granting supervisory authorities more authority to decide whether to impose a sanction.
Hustinx’s letter was released prior to a March 20 debate held in the EU Parliament regarding the draft Regulation. At the debate, Hustinx reiterated that “most if not all” of the amendments related to the scope of the Regulation “are unnecessary or would do great damage.” However, he expressed his support for amendments proposed by Chief Negotiator Member of Parliament Jan Philipp Albrecht, noting that they tended to reinforce the concept of purpose limitation