Privacy & Information Security Law Blog

On March 15, 2013, European Data Protection Supervisor Peter Hustinx sent a letter to Juan Fernando López Aguilar, Chair of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), with his comments regarding certain aspects of the European Commission’s proposed revised data protection framework. On March 20, 2013, Peter Hustinx was invited to present his comments during a LIBE Committee meeting, together with the President of the Article 29 Working Party, Jacob Kohnstamm.

Hustinx’s comments build on his March 7, 2012 opinion concerning the proposed General Data Protection Regulation (“Proposed Regulation”) and the proposed Police and Criminal Justice Directive (“Proposed Directive”). Since that opinion was issued, the relevant committees of the European Parliament have suggested amendments to the data protection reform package. Below are some key points from Hustinx’s March 15, 2013 letter.

• Many amendments concern the definition of anonymous and pseudonymous data and the rules applicable to these types of data. Hustinx emphasizes that the core principles of the Proposed Regulation should remain applicable to pseudonymous data. Hustinx also believes that data is only anonymous if it has been irreversibly anonymized. Anonymization should make it impossible for the data controller (or anyone else) to identify the individual to whom the data relate.
• Some amendments aim to restrict the scope of application of the Proposed Regulation by creating exceptions for specific sectors or processing situations. Although Hustinx advises against creating more exceptions than are already included in the Proposed Regulation, he welcomes the progressive risk-based approach proposed by the Council. This approach would impose more detailed obligations for riskier data processing operations. Hustinx further advises against amendments that aim to restrict the scope of application of the Proposed Regulation to data subjects residing in the European Union.
• Hustinx approves of deleting Article 6(4) of the Proposed Regulation that would permit the processing of personal data for a purpose that is incompatible with the purpose for which the data were collected. Hustinx proposes keeping the “legitimate interest” ground for data processing flexible. He is not in favor of amendments proposing itemized lists of specific circumstances in which the legitimate interests of the data controller override the rights and interests of the data subject (and vice-versa).
• Hustinx advises against amendments that would limit the responsibilities of data processors and soften accountability requirements. Hustinx is in favor of amendments that would strengthen the notion of accountability and offer more flexibility to organizations that have accountability mechanisms already in place (such as those that have appointed a data protection officer).
• Hustinx states that he supports amendments that extend the scope of binding corporate rules to external subcontractors, but does not elaborate on this issue.
• Hustinx supports amendments that grant supervisory authorities greater latitude when imposing sanctions, and cautions that lists of aggravating and mitigating factors should not hinder this flexibility.

The LIBE Committee vote on the proposed amendments has been postponed until the end of May 2013.