A new generation of data protection standards is being promulgated by the European Union. Almost one year ago, the adoption of the General Data Protection Regulation (GDPR) and the Directive for the police and justice sectors represented the most ambitious endeavour of the EU legislator so far to secure the fundamental rights of the individual in the digital era.
Now is the time for EU institutions themselves to lead by example in the rules that they apply to themselves as controllers and processors. Over the past 18 months the EDPS has initiated dialogue with EU institutions at the highest level to prepare them for the new challenges on data protection compliance, emphasising the new principle of accountability for how data is processed.
With our Opinion, the EDPS aims to bring the experience of twelve years of independent supervision, policy advice and advocacy in suggesting improvements to the proposed Regulation on personal data processing by EU institutions and bodies.
Regulation 45/2001 has served as a bellwether providing directly applicable obligations for controllers, rights for data subjects and a clearly independent supervisory body. The EU now must ensure consistency with the GDPR through an emphasis on accountability and safeguards for individuals rather than procedures. Some divergence of rules applicable to EU institutions data processing is justifiable, in the same way as public sector exceptions have been included in the GDPR, but this must be kept to a minimum.
Essential however, from the perspective of the individual, is that the common principles throughout the EU data protection framework be applied consistently irrespective of who happens to be the controller. It is also essential that the whole framework is applicable at the same time, that the GDPR becomes fully applicable in May 2018.
The EDPS was consulted by the Commission on the draft proposal in line with a long-standing arrangement between our institutions. Overall, we consider that the Commission has achieved a good balance of the various interests at stake.
Our Opinion sets out a number of areas in which the proposal could be further improved. We argue for improvements to the proposed regulation, particularly regarding the restrictions to the rights of the data subject and provision for EU institutions to use certification mechanisms in certain contexts.
With respect to our own tasks and powers as an independent body, the proposal appears to strike a reasonable balance and to reflect the normal functions of an independent data protection authority under the Charter of Fundamental Rights and as reaffirmed in recent case law from the CJEU, whether as enforcer, complaints handler and adviser to the legislator on policies affecting data protection and privacy.
We encourage the EU legislator to reach agreement on the proposal as swiftly as possible so as to allow EU institutions to benefit from a reasonable transition period before the new Regulation becomes applicable.