On 23 March 2012, the Article 29 Working Party, an independent European advisory body on data protection and privacy comprised of a representative of the national data protection authorities of the EU Member States, a representative of the European Data Protection Supervisor and a representative of the European Commission, published its opinion on the European Commission's data protection reform proposals (see, this Newsletter, Volume 2012, No. 1, p. 6 and No. 2, p. 3). Earlier that month, on 7 March 2012, the European Data Protection Supervisor ("EDPS") had also issued his opinion on the reform package.

The data protection reform proposals published on 25 January 2012 include a draft Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Draft Regulation"), which is supposed to replace the present Data Protection Directive 95/46/EC, and a draft Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (the "Draft Directive").

Both the Article 29 Working Party and the EDPS overall welcome the Draft Regulation, whereas they strongly criticise the Draft Directive. As regards the Draft Regulation they recognise in particular that it seeks to strengthen the rights of data subjects, enhance the responsibility of data controllers and reinforce the position of supervisory authorities, whilst significantly reducing the existing fragmentation of data protection across the EU. In contrast, the Draft Directive is regarded as greatly inferior to the Draft Regulation. The Working Party in particular feels that "a high level of consistent data protection standards also applying to this area is all the more needed'.

Both opinions include some general remarks about the two proposed legal instruments, discuss their positive and negative aspects in general terms and also address specific provisions, in some cases proposing changes (for instance, the proposed 24h time limit for mandatory data breach notifications is considered to be too short and the EDPS proposes a 72h time limit instead).

Both the Article 29 Working Party and the EDPS criticise the European Commission for its failure to propose a single legal instrument and include the rules that apply to the EU institutions; the data processing in the area of police and judicial cooperation in criminal matters and in the area of common foreign and security policy; and the rules governing the collection and transfer of data (such as passenger name records or telecommunications data) by private parties for law enforcement purposes (and the subsequent use by law enforcement authorities). Both opinions also highlight that the Draft Regulation does not sufficiently address the relationship between EU law and national law, where specific national rules will continue to exist.

The Article 29 Working Party and the EDPS are also highly critical of the extent to which the European Commission is empowered to adopt delegated and implementing acts to specify certain provisions of the Draft Regulation and its foreseen role with respect to individual cases under the consistency mechanism which is considered to encroach upon the independent position of the data protection authorities.

Both opinions express fears that the exceptions and thresholds proposed for micro, small and medium size enterprises are too broad and may lead to inconsistent outcomes and undesirable results.

The Article 29 Working Party is particularly concerned about the implications of the proposed enhanced duties for data protection authorities on budget and resources and in this respect strongly suggests an independent in-depth assessment of the increased costs. It even requests guidance on what would amount to an adequate budget.

In particular with respect to the enhanced responsibility of data controllers, which both the Article 29 Working Party and the EDPS strongly support, it is noteworthy that some of the recommendations of the EDPS go even further than the Draft Regulation. For instance, the EDPS recommends including additional elements, such as training of staff, in a general provision, further developing the concept of management control, providing that controllers publish a regular report of their activities and obliging controllers to adopt an information security management approach within the organisation. The EDPS also suggests including a wider provision on collective actions in the Draft Regulation. In contrast, the Article 29 Working Party and the EDPS also consider the proposed obligation to maintain detailed documentation of all processing operations to create a considerable burden for many data controllers and generally demand that the size of the data controller and the nature of the processing activities be taken into account when defining the proposed general obligation of accountability.

The opinion of the Article 29 Working Party can be consulted here and a copy of the EDPS opinion can be found here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.