European Data Protection Supervisor Giovanni Buttarelli published his recommended version of the data protection regulation today (27 July) and launched a mobile app that compares his suggestions to the three proposals from the European Parliament, Commission and the Council.
The three proposals currently at the centre of negotiations are “not the ideal reform,” Buttarelli said.
His proposal for the data protection regulation is significantly shorter than the proposals from the Parliament, Commission and Council. He has criticised the institutions for including details he says won’t be flexible enough in practice or open to future changes in technology.
The three institutions started informal “trialogue” talks in June and are expected to conclude with a compromise draft law by the end of the year. If negotiators reach an agreement by early 2016, a two-year transition period will follow before the data protection regulation goes into effect in all EU member states. The European Data Protection Supervisor is not involved in drafting legislation but advises EU institutions and publishes opinions on privacy issues.
Buttarelli said, “If it takes four years to discuss a piece of legislation, technology changes. The kind of internet we know today will be entirely different five years from now because of the internet of things.”
One of the articles Buttarelli said needed attention addresses companies’ ability to collect data for purposes other than the ones their customers first agreed to. According to Buttarelli, that shouldn’t be allowed.
“Purpose limitation is one of the pillars of data protection around the world. We cannot minimise or alter it. It should stay, full stop,” Buttarelli said.
The Council’s proposal suggested data can be processed for other purposes if the data controller has a “legitimate interest.”
Biometric data, which can identify a person’s appearance or behaviour, will also need to be redefined a few years from now, according to Buttarelli.
Because companies headquartered outside Europe will still have to comply with European data protection rules if they process Europeans’ data, Buttarelli said the new reform package is drawing a lot of attention from other countries.
“An increasing number of countries around the world have difficulties understanding what the trialogue is,” Buttarelli said.
“There’s one text from the Commission and one from the Council, and they don’t understand what the outcome is, what the process is, or what the deadlines are.”
Buttarelli said the app his office launched today will be good for the transparency of the trialogue meetings, which have attracted criticism for being secretive.
Trialogue meetings are informal, closed-door negotiating sessions during which the Parliament and Council agree to a compromise draft law.
The app lines up the institutions’ proposals, as well as the Supervisor’s recommended version, in columns next to each other and highlights differences between the texts. Users can search for terms and add comments.
The app does not require special permissions to access users’ data. A spokesperson for the supervisor said the version for Apple does not connect to users’ iClouds.
“It is a test for the institutions to better communicate in terms of transparency by using modern tools, particularly in this case where these texts only appear together, the three, on one website of an NGO,” Buttarelli said.
EurActiv previously reported that the European Ombudsman, who investigates maladministration in EU institutions, had opened an inquiry into the transparency of trialogue meetings. Her office asked the Commission, Council and Parliament to respond to questions by September.
Ombudsman spokeswoman Gundi Gadesmann said of the Data Protection Supervisor’s new app, “Every effort to make it easier for citizens to follow trialogues and to enable them to compare different positions that emerge during the law-making process is very welcome indeed.”
The app will update when trialogue meetings on the data protection reform resume in September.
“Perhaps it will be a benchmark. Can you imagine the same app applied to Grexit discussion?” Buttarelli said.
Existing European rules on data protection were adopted in 1995, when the Internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
- October 2015: Agreement on general approach expected to be reached at EU justice minister's meeting
- By end of 2015: Negotiators plan to finish trialogue discussions
European Data Protection Supervisor
Council of the EU