There are two parts to the current EU reforms: the proposed new data protection Regulation with general rules on data protection, and a new data protection Directive with specific rules for law enforcement. The difference between a Regulation and a Directive is that the former must be implemented by member states ‘as is’, while the latter can be implemented in the manner each country prefers provided that the rules are met
EDPS Peter Hustinx says of the former, “The proposed Regulation constitutes a huge step forward for the right to data protection in Europe.” But he has a number of concerns, including the possibility that it allows the restriction of basic principles and rights; it gives the EC excessive powers in ensuring consistency throughout Europe; and it provides new ground for exceptions to the purpose limitation principle. He is also concerned about what he terms ‘the possible derogation for transferring data to third countries.’
His biggest criticisms are reserved for the law enforcement Directive. He says, “The proposed rules for data protection in the law enforcement area are unacceptably weak.” He believes that “there is no justification whatsoever for departing from the rules provided in the proposed Regulation,” and that while law enforcement requires some specific rules, it does not require “a general lowering of the level of data protection.”
He has four particular concerns over data protection and law enforcement: a ‘lack of legal certainty’ over the use of personal data by law enforcement; the lack of a general duty for LEAs to demonstrate compliance with data protection requirements; weak conditions for transfers to third countries; and what he terms “the unduly limited powers of supervisory authorities.”
The one area that transcends both reforms is the transfer of personal data to third countries, and this is his major concern. “The EDPS is, however, seriously disappointed with the proposed Directive for data protection in the law enforcement area,” states the formal Opinion. “The proposed instruments taken together do not fully address factual situations which fall under both policy areas, such as the use of PNR or telecommunication data for law enforcement purposes.” These two areas, passenger name records (PNR, and in particular the separate agreement on the transfer of personal data to the US Department of Homeland Security) and telecommunication data (that is, the storage and use of personal data intercepted from people’s use of the internet) are the two areas that also most concern European civil liberties groups.