31.7.2012

EN

Official Journal of the European Union

C 229/90

---

Opinion of the European Economic and Social Committee on the ‘Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)’

COM(2012) 11 final — 2012/011 (COD)

2012/C 229/17

Rapporteur-general: Mr PEGADO LIZ

On 16 February 2012 and 1 March 2012 respectively, the European Parliament and the Council decided to consult the European Economic and Social Committee, under Article 304 of the Treaty on the Functioning of the European Union, on the

Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)

COM(2012) 11 final — 2012/011 (COD).

On 21 February 2012, the Committee Bureau instructed the Section for Employment, Social Affairs and Citizenship, to prepare the Committee's work on the subject.

Given the urgent nature of the work, the European Economic and Social Committee decided, at its 481st plenary session, held on 23 and 24 May 2012 (meeting of 23 May), to appoint Mr PEGADO LIZ rapporteur-general and adopted the following opinion by 165 votes to 34, with 12 abstentions.

1.   Conclusion and recommendations

1.1

The EESC welcomes the general direction taken by the Commission, endorses the proposed choice of enabling provision and agrees in principle with the objectives of the proposal, which closely reflect a Committee opinion. In terms of the legal position of data protection, the EESC believes that the processing and transmission of data within the single market must comply with the right to protection of personal data as specified in Article 8 of the Charter of Fundamental Rights and Article 16(2) of the Treaty on the Functioning of the European Union.

1.2	The Committee is divided in its views as to whether a regulation is the best choice given the task in hand and calls on the Commission to do more to demonstrate and justify the reasons that make this instrument preferable to a directive, if not indispensable.

1.3	However, the Committee regrets the fact that the stated principles of the right to protection of personal data are qualified by an excessive number of exceptions and restrictions.

1.4

In the new context of the digital economy, the Committee shares the Commission's opinion that, ‘individuals have the right to enjoy effective control over their personal information’ and considers that this right should be extended to cover the various purposes for which individual profiles are drawn up on the basis of data collected by numerous (legal and sometimes illegal) methods and its processing.

1.5	As this is a matter of fundamental rights, harmonisation by means of a regulation to cover specific areas should nevertheless leave Member States free to adopt provisions under national law in areas not covered, as well as provisions that are more favourable than those set out in the regulation.

1.6	Furthermore, when it comes to delegated acts, references to which appear almost everywhere, the Committee cannot accept those that do not fall within the express scope of Article 290 TFEU.

1.7

The Committee nevertheless welcomes the focus on creating a proper institutional framework to ensure that the legal provisions function effectively, both at company level (through data protection officers (DPOs)) and in Member States' public administrations (through independent supervisory authorities) It would, however, have appreciated an approach from the Commission that was more in line with the real needs and expectations of the public and that applied more systematically to certain fields of economic and social activity in accordance with their nature.

1.8

The EESC considers that several improvements and clarifications can be made to the proposed text. It gives some detailed examples in this opinion in relation to a number of articles, helping to provide a better definition of rights, of stronger protection for the public in general and of workers in particular, of the nature of consent, of the lawfulness of processing and, in particular, of the duties of data protection officers and data processing in the context of employment.

1.9	The EESC also considers that some aspects that have not been addressed should be included, not least the need to broaden the scope of the regulation, the processing of sensitive data and collective actions.

1.10

In this respect, the EESC believes that search engines, the majority of whose revenue comes from targeted advertising thanks to their collection of personal data concerning the visitors to their sites, or indeed the profiling of those visitors, should come expressis verbis within the scope of the regulation. The same should go for the sites of servers providing storage space and, in some cases, cloud computing software, that can collect data on users for commercial ends.

1.11

The same should also apply to personal information published on social networks, which, in accordance with the right to be forgotten, should allow data subjects to modify or erase such information or to request the deletion of their personal pages as well as links to other high-traffic sites where that information is reproduced or discussed. Article 9 should be amended to that end.

1.12

Lastly, the EESC calls on the Commission to reconsider certain aspects of the proposal that it deems unacceptable, in sensitive areas such as child protection, the right to object, profiling, certain restrictions to the rights granted, the threshold of 250 workers for the appointment of a DPO and the way in which the ‘one-stop shop’ is organised.

2.   Introduction

2.1	The EESC has been asked to issue an opinion on the Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (1).

2.2

However, it should be noted that this proposal is part of a ‘package’, which also includes an introductory communication (2), a proposal for a directive (3) and a report from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions based on Article 29(2) of the Council Framework Decision of 27 November 2008 (4). The referral to the Committee does not relate to all the legislation proposed, only the draft regulation, whereas the Committee should also have been consulted on the draft directive.

2.3	According to the Commission, the proposal that has been referred to the EESC lies at the intersection of two of the EU's most pivotal legal, political and economic strategies.

2.3.1

On the one hand, Article 8 of the Charter of Fundamental Rights of the European Union and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) enshrine data protection as a fundamental right, to be defended as such. This is the basis for the European Commission's communications on the Stockholm Programme and the Stockholm Action Plan (5).

2.3.2

On the other hand, the Digital Agenda for Europe and, more generally, the Europe 2020 strategy promote the consolidation of the ‘single market’ dimension of data protection and the reduction of administrative burdens on companies.

2.4

The Commission's intention is to update and modernise the principles set out in Directive 95/46/EC on data protection (as amended) so as to guarantee privacy rights in the future within the digital society and its networks. The objective is to reinforce individuals' rights, consolidate the EU internal market, secure a high level of data protection in all areas (including judicial cooperation in criminal matters), ensure proper enforcement of the rules adopted for this purpose, facilitate international transfers of personal data and set universal data protection standards.

3.   General comments

3.1

In the new context of the digital economy, the Committee shares the Commission's opinion that, ‘individuals have the right to enjoy effective control over their personal information’ and considers that this right should be extended to cover the other purposes for which individual profiles are drawn up on the basis of numerous (legal and sometimes illegal) methods of data collection and the processing of the data thus obtained. The Committee also considers that the processing and transfer of data in the context of the single market should be subject to the right to protection under Article 8 of the Charter of Fundamental Rights. This is a fundamental right, guaranteed in the EU's institutional law and in the national law of most Member States.

3.2

All EU citizens and residents, in their capacity as such, have fundamental rights that are guaranteed in the Charter and in the treaties. These rights are also recognised in the law of the Member States, sometimes even in constitutional law. Other rights, such as image rights and the right to protection of privacy, complement and reinforce the right to the protection of data relating to them. The means must be available to ensure that these rights are respected, by asking for a website to change or remove a personal profile or data file from the server, and obtaining a court injunction to this end in the event of failure to comply.

3.3

Files containing individual data need to be kept by public authorities (6), by businesses for the purpose of staff management, by commercial services, by associations, trade unions and political parties and by social websites and search engines on the Internet. However, in order to protect the private lives of the individuals whose data is registered legally in these filing systems, each of which has a different purpose, such files should collect only such information as is essential for their respective purposes and should not be interconnected via ICT when there is no need and no legal protection. The existence of an authority with unlimited access to all data would undermine both civil liberties and privacy.

3.4	When such data files are held by private law bodies, the individuals in question must have a right to access, edit and even remove the files, both in records used for market research and those held by social sites.

3.5

For data files held by public or private administrations in compliance with legal obligations, data subjects must have the right to access data and rectify them in the event of error, or have them removed if their inclusion is no longer warranted, as in the case of criminal record amnesties, the end of employment contracts or cases where record-keeping requirements have been met.

3.6

The EESC welcomes the general direction taken by the Commission, acknowledging that while the objectives of Directive 95/46/EC (as amended) remain relevant, a thorough review had become indispensable owing to all the technological and social changes that have taken place in the digital environment in the seventeen years since it was introduced. For example, certain aspects of international exchanges of information and data between administrations responsible for prosecuting crimes and enforcing judgments in the framework of police and judicial cooperation were not addressed in Directive 95/46/EC. This issue is addressed in the draft directive which forms part of the data protection package on which the Committee has not been consulted.

3.7

The EESC agrees in principle with the proposal's objectives, which tie in with the protection of fundamental rights and follow the Committee opinion (7) closely, particularly: — the establishment of a single set of data protection rules, giving the highest possible level of protection and valid throughout the Union; — the express reaffirmation of the free movement of personal data within the EU; — the abolition of a number of unnecessary administrative requirements, which would, according to the Commission, represent savings to business of around EUR 2,3 billion a year; — the introduction of a new requirement for companies and organisations to notify the national supervisory authority of any serious personal data breaches without delay (if possible within 24 hours); — the possibility for individuals to deal with their own country's data protection authority, even when their data is processed by a company established outside the EU; — the moves to facilitate individuals' access to their own data and the transfer of personal data from one service provider to another (right to data portability); — the introduction of a ‘right to be forgotten in the on-line environment’, to enable individuals to manage the risks connected with the protection of online data as effectively as possible, including the entitlement to have any personal data relating to them erased if there is no legitimate reason for retaining it; — the strengthening of the role of the independent national authorities responsible for data protection compared to the current situation, to enable them to ensure that the EU rules are applied and upheld more effectively within their own State's territory, in particular by granting them the power to impose fines on companies that breach the rules, up to a sum of EUR 1 million or 2 % of the company's annual turnover; — technology neutrality and application to all data processing, whether automated or manual; — the obligation to perform data protection impact assessments.

3.8

The EESC welcomes the focus on the protection of fundamental rights and fully endorses the proposed choice of legal basis, which is to be used for the first time in this legislation. It also draws attention to the utmost importance of this proposal for achieving the single market and its positive impact in the context of the Europe 2020 strategy. With regard to the choice of a regulation, a number EESC members, irrespective of Group, agree with the Commission and consider that it is the legal instrument best suited to guarantee uniform application with the same high level of protection in all Member States; others believe that a directive would be best placed to safeguard the principle of subsidiarity and protect data, particularly in Member States where there is already a higher level of protection than that set out in the Commission proposal. The EESC is also aware that the Member States are themselves divided on this matter. The EESC therefore calls on the Commission to do more to back up its proposal by clearly demonstrating that it is compatible with the principle of subsidiarity and setting out the reasons for which a regulation is essential in the light of the objectives set.

3.8.1

As regulations are applicable immediately and in full in all Member States without the need for transposition, the EESC draws the Commission's attention to the need to ensure consistency between the translations into all languages – which is not the case with the proposal.

3.9

The EESC considers, on the one hand, that the proposal could have gone further in increasing the protection offered by certain rights that have been rendered almost void of content by a multitude of exceptions and limitations and, on the other, that it should have established a better balance between the rights of the various parties concerned. There is therefore a risk of an imbalance between the aims of the fundamental right to data protection and those of the single market, to the detriment of the former. The EESC endorses for the most part the opinion expressed by the European Data Protection Supervisor (8).

3.10

The EESC would have liked to see the Commission adopt an approach that was more in line with the needs and expectations of the public and that applied more systematically to certain fields of economic and social activity such as, for example, e-commerce, direct marketing, employment relationships, public authorities, surveillance and security, DNA etc., by differentiating the legal regimes for these very different aspects of data processing according to their nature.

3.11

With regard to various provisions set out in the proposal (all of which are listed in Article 86), some crucial aspects of the legal instrument and of the functioning of the system are left to future delegated acts (there are 26 delegations of power for an indefinite period). The EESC considers that this goes far beyond the limits laid down in Article 290 of the Treaty and defined in the Commission Communication on the Implementation of Article 290 of the Treaty on the Functioning of the European Union (9), with consequences for the instrument's legal security and certainty. The EESC considers that a certain number of delegations of power could be directly regulated by the European legislator. Others could fall within the remit of national supervisory authorities or their European-level association (10). This would reinforce implementation of the principles of subsidiarity and contribute to greater legal security and certainty.

3.12	The EESC understands why the Commission has only addressed the rights of individuals in this proposal, given its specific legal character, but calls on the Commission to turn its attention to data concerning legal persons as well, particularly those which have legal personality.

4.   Specific comments

Positive aspects

4.1   Importantly, the proposal still complies with the purpose and objectives of Directive 95/46/EC, in particular as regards a number of definitions, the thrust of the principles relating to data quality and justifications for data processing, the processing of special categories of data and various specific rights concerning information and access to data.

4.2   The proposal also introduces positive innovations in key areas. These include: new definitions, clearer conditions for consent, particularly where children are concerned, and the classification of new rights, such as the rights of rectification and erasure and, in particular, the ‘right to be forgotten in the digital environment’, and the right to object and not be subject to profiling, together with extremely detailed obligations for data controllers and processors, and measures to strengthen data security and the general framework for sanctions, principally of an administrative nature.

4.3   The Committee also welcomes the proposal's focus on creating a proper institutional framework to ensure that the legal provisions function effectively, both at company level (through data protection officers) and in Member States' public administrations (through independent supervisory authorities), as well as the further cooperation both between these authorities and with the Commission (through the creation of the European Data Protection Board). However, it points out that the competences of national, and to some extent regional, data protection officers in the Member States must be retained.

4.4   Lastly, the Committee sees the encouragement to draw up codes of conduct and the role accorded to certification mechanisms and data protection seals and marks as positive steps.

What could be improved:

4.5   Article 3 – Territorial scope

4.5.1   The conditions for application of the regulation set out in paragraph 2 are too restrictive: consider the case of pharmaceutical companies based outside Europe which wish to have access to clinical data of data subjects resident in the EU for the purposes of clinical tests.

4.6   Article 4 – Definitions

4.6.1   The elements of ‘consent’, which is the basis for the whole system of data protection, should be defined more precisely, particularly as to the nature of ‘clear affirmative action’ (particularly in the French version).

4.6.2   The concept of ‘transfer of data’ is not defined anywhere: it should be defined in Article 4.

4.6.3   The concept of ‘fairness’, mentioned in Article 5(a), should be defined.

4.6.4   The concept of data which are ‘manifestly made public’ (Article 9(2)(e)) should also be clearly defined.

4.6.5   The concept of profiling, used throughout the proposal, also requires a definition.

4.7   Article 6 – Lawfulness of processing

4.7.1   In sub-paragraph (f), the concept of ‘legitimate interests pursued by a controller’, which are not covered by any of the preceding sub-paragraphs, seems vague and subjective. This concept should be explained more clearly in the text itself, not left to a delegated act (see paragraph 5), particularly since sub-paragraph (f) is not mentioned in paragraph 4, (this is important, for example, for postal services and direct marketing (11)).

4.8   Article 7 – Consent

Paragraph 3 should state that withdrawal of consent prevents any further processing, and that it affects the lawfulness of processing only from the time of withdrawal of consent.

4.9   Article 14 – Information

4.9.1   A maximum time limit should be given in paragraph 4(b).

4.10   Article 31 – Notification of breaches to the supervisory authority

4.10.1   Notification of all breaches may compromise the operation of the system and may ultimately be an obstacle to ensuring that those responsible are held to account.

4.11   Article 35 – Data protection officers

4.11.1   The conditions related to the role of data protection officers should be set out in more detail, particularly in relation to protection against dismissal, which should be clearly defined and extend beyond the period during which the individual concerned holds the post; basic conditions and clear requirements for performing this activity; exemption of DPOs from liability where they have reported irregularities to their employer or to the national data protection authority; the right for employee representatives to be directly involved in the appointment of the DPO and to be regularly informed (12) about problems that arise and how they are resolved. The issue of the resources allocated to the function must also be clarified.

4.12   Article 39 – Certification

4.12.1   Certification should be the responsibility of the Commission.

4.13   Articles 82 and 33 – Data processing in the employment context

4.13.1   There is no explicit reference in Article 82 to performance appraisals (which are not mentioned in Article 20 on ‘profiling’ either). Furthermore, it is not indicated whether this authorisation also applies to the wording of the provisions on DPOs. The prohibition against ‘profiling’ in the context of employment should also be mentioned explicitly in relation to data protection impact assessments (Article 33).

4.14   Articles 81, 82, 83 and 84

4.14.1   The words: ‘Within the limits of this Regulation …’ should be replaced with: ‘… On the basis of this Regulation …’.

What is missing and should be included:

4.15   Scope

4.15.1   As this is a matter of fundamental rights, harmonisation in specific areas should leave Member States free to adopt provisions under national law in areas not covered, as well as provisions that are more favourable than those set out in the regulation, as is already the case for the areas covered by Articles 80 to 85.

4.15.2   Individuals' Internet Protocol addresses should be mentioned explicitly in the body of the regulation among personal data to be protected and not just in the recitals.

4.15.3   Search engines, most of whose revenue comes from advertising and which collect their users' personal data and make commercial use of such data, should be included in the scope of the regulation and not just in the recitals.

4.15.4   Specific mention should be made of the fact that social networks fall within the scope of the regulation, not only when they are involved in profiling for commercial purposes.

4.15.5   Certain Internet monitoring and filtering systems, whose purpose is ostensibly that of combating counterfeiting and which have the effect of profiling certain users, keeping files on them and monitoring all their movements without specific judicial authorisation, should also fall within the scope of the regulation.

4.15.6   The EU's institutions and bodies should also be covered by the obligations set out in the regulation.

4.16   Article 9 – Special categories of data

4.16.1   The best way to proceed would be to create special regimes to match the circumstances, situation and purpose of the processing of data. ‘Profiling’ should also be prohibited in these areas.

4.16.2   The principle of non-discrimination should be introduced in relation to the processing of sensitive data for statistical purposes.

4.17   Opportunities – so far untapped – should be found within the following areas:

—	involvement of employee representatives at all national and European levels in drawing up ‘binding corporate rules’, which should henceforth be accepted as a prerequisite for international data transfers (Article 43);

—	briefing and consultation of European Works Councils for international data transfers, particularly to third countries;

—	briefing and involvement of European social partners and European consumer and human rights NGOs in the appointment of the members of the European Data Protection Board, which is to replace the Article 29 Working Party;

—	briefing and involvement of national level partners and NGOs in the appointment of the members of national data protection authorities, for which there is no provision either.

4.18   Articles 74 to 77 – Collective actions in relation to illegal files and for damages

4.18.1   When violations of data protection rights occur, most are collective in nature: it is not single individuals who are concerned, but a group or all those whose data has been stored. Traditional individual legal remedies are therefore inappropriate for responding to this type of violation. However, although Article 76 permits any body, organisation or association which aims to protect data subjects' rights to launch the procedures set out in Articles 74 and 75 on behalf of one or more data subjects, the same does not apply to claims for compensation or damages, since Article 77 only provides that possibility for individuals, and does not set out a procedure covering collective representation or collective actions.

4.18.2   In this regard, the EESC wishes to renew the call it has made in a number of opinions over many years, concerning the urgent need for the EU to have a harmonised judicial instrument for European-level group action, which is necessary in many areas of EU law and which already exists in several Member States.

What is unacceptable:

4.19   Article 8 – Children

4.19.1   Having defined a ‘child’ as any person below the age of 18 years (Article 4(18)), in accordance with the UN Convention on the Rights of the Child, it is unacceptable to allow 13-year-old children to ‘consent’ to processing of personal data under Article 8(1).

4.19.2   Although the Committee understands the need to have specific rules for SMEs, it is unacceptable that the Commission can simply exempt SMEs from the duty to respect children's rights by way of a delegated act.

4.20   Article 9 – Special categories

4.20.1   Similarly, in Article 9(2)(a) there is no reason why children should be able to give their ‘consent’ to processing of data concerning their national origin, political opinions, religion, health, sex life or criminal convictions.

4.20.2   Data provided voluntarily by individuals, for instance on Facebook, should not be excluded from protection, as might be inferred from Article 9(e), but should benefit at least from the right to be forgotten.

4.21   Article 13 – Rights in relation to recipients

4.21.1   The exception at the end (‘unless this proves impossible or involves a disproportionate effort’) is unjustifiable and unacceptable.

4.22   Article 14 – Information

4.22.1   The same exception in paragraph 5(b) is also unacceptable.

4.23   Article 19(1) – Right to object

4.23.1   The vague wording of the exception (‘compelling legitimate grounds’) is unacceptable and renders the right to object meaningless.

4.24   Article 20 – Profiling

4.24.1   The prohibition of profiling should not be limited to ‘automated’ processing (13).

4.24.2   In paragraph 2(a), the expression ‘… have been adduced …’ should be replaced by ‘… have been taken …’

4.25   Article 21 – Restrictions

4.25.1   The wording of paragraph 1(c) is completely unacceptable, since it contains vague, undefined terms, such as ‘economic or financial interest’, ‘monetary, budgetary and taxation matters’ and even ‘market stability and integrity’, the latter phrase having been added to Directive 95/46.

4.26   Articles 25, 28 and 35 – threshold of 250 workers

4.26.1   The threshold of 250 workers determining the applicability of some protection provisions, such as the obligation to appoint a Data Protection Officer, would mean that only slightly under 40 % of employees would be protected under this provision. With regard to the obligation to provide documentation, the same restriction would mean that a substantial majority of employees would have no opportunity to monitor the use of their personal data and that there would no longer be any controls. The Committee would suggest possibly making the threshold lower, using for instance the number of workers applied in general by Member States for the establishment of workplace representation of employee interests. An alternative approach based on objective criteria could be envisaged, to be based, for instance, on the number of data protection files processed within a time period to be determined, irrespective of the size of the enterprise or service concerned.

4.27   Article 51 – The ‘one-stop shop’

4.27.1   While the ‘one-stop shop’ principle is designed to make life easier for companies and to make data protection mechanisms more effective, it could nevertheless lead to a marked deterioration in data protection for the public in general, and in the protection of the personal data of workers in particular, making the current obligation to ensure that transfers of personal data are subject to a company-level agreement and are approved by a national commission for data protection (14) redundant.

4.27.2   In addition, this system seems to conflict with the aim of locally-based management and to threaten to prevent individuals from having their requests dealt with by the closest and most accessible supervisory authority.

4.27.3   There are therefore reasons in favour of jurisdiction remaining with the authority in the complainant's Member State of residence.

---

(1)  COM(2012) 11 final.

(2)  COM(2012) 9 final.

(3)  COM(2012) 10 final.

(4)  COM(2012) 12 final.

(5)  These communications stress the need for the EU to ‘establish a comprehensive personal data protection scheme covering all areas of EU competence’ and ‘ensure that the fundamental right to data protection is consistently applied’ so that individuals have the right to enjoy effective control over their data.

(6)  See EESC opinion on the re-use of public sector information, OJ C 191, 29.6.2012, p. 129.

(7)  See EESC opinion, OJ C 248, 25.8.2011, p. 123.

(8)  Opinion of the European Data Protection Supervisor on the Data Protection Package, 7 March 2012.

(9)  COM(2009) 673 final, 9.12.2009.

(10)  See the objections on grounds of subsidiarity raised by the French Senate.

(11)  More clarity should be given as to marketing by way of letters addressed to individuals, since as it stands the regulation would ban this practice despite the fact that it is a targeted and relatively unintrusive way of seeking new customers.

(12)  For example, a periodic report on the activities of the DPO could be sent to staff representatives or to the elected worker representatives on the Management Board or on the national and/or European Supervisory Board, where they exist.

(13)  See Recommendation CM/Rec(2010)13 of the Council of Ministers of the Council of Europe, 23 November 2010.

(14)  Specifically, the independent administrative authorities responsible for authorising and supervising the constitution of personal data files; on the contrary, their powers should be extended to cover the digital society and social networks, especially in view of the value of exchanges of personal profiles for marketing purposes.

---

---