EDPS welcomes a "huge step forward for data protection in Europe", but regrets inadequate rules for the police and justice area

The EDPS congratulates the Commission on the publication today of the package for reforming the data protection rules in Europe. The Commission has presented two legislative proposals: a general Regulation on data protection and a specific Directive for the area of police and justice.

As regards the general Regulation, Peter Hustinx, EDPS, says: “The proposal for the general rules on data protection is ambitious and constitutes a huge step forward for data protection in Europe. Although there is certainly room for further improvement, we generally support the solutions proposed by the Commission. This proposal is an excellent starting point for the adoption of European rules on data protection robust enough to face the information technology-driven challenges before us.”

The EDPS supports the general Regulation on main lines, in particular for the following reasons:

• by proposing a regulation, EU citizens in all Member States can benefit from the same high level of data protection, including stronger data subjects' rights;
• by introducing compulsory mechanisms (such as impact assessments, data protection officers and documentation on processing), data controllers in the private and in the public sectors are made more accountable for what they do;
• the independence and enforcement powers of national data protection authorities are reinforced;
• at the same time, the administrative burden will be reduced, and
• the consistent implementation of the rules within the EU will free companies from having to deal with diverging national legislative regimes and authorities.

However, the EDPS strongly regrets the inadequate content of the specific Directive on data protection in the area of police and justice. Peter Hustinx states: “The Commission has not lived up to its promises to ensure a robust system for police and justice. These are areas where the use of personal information inevitably has an enormous impact on the lives of private individuals. It is difficult to understand why the Commission has excluded this area from what it intended to do, namely proposing a comprehensive legislative framework.”

The EDPS firmly supports one specific improvement, that domestic processing is covered by the proposed Directive. However, this safeguard only has added value if the Directive substantially increases the level of data protection in this area, which the Commission itself has criticised as too low. With the current proposal, this is absolutely not the case. The EDPS regrets in particular that:

• the Commission does not propose stricter rules for the transfer of personal data outside the EU;
• data protection authorities are not given mandatory powers to effectively control the processing of personal data in this area;
• the possibilities for the police to access data processed in the private sector are not regulated.

The EDPS will analyse the two proposals in detail and will present a detailed formal opinion to the EU legislator in the coming months.