EU committee has reservations over proposed Data Protection Regulation

The Opinion is not unanimous, but was approved within the committee by 165 votes to 34, with 12 abstentions. One area of division is whether it should be a regulation or directive. The latter allows for greater flexibility in national implementations, and is the preference of the UK. Even if it is implemented by regulation, says the EESC, it “should nevertheless leave Member States free to adopt provisions under national law in areas not covered.”

Like many of the individual countries, the committee is also concerned about the number of delegated acts (that is, later additions by the EC), “references to which appear almost everywhere.” But one area in which it is in direct conflict with the UK’s position is over the threshold for a mandatory data protection officer within SMEs. THe UK wants this provision to be relaxed. The committee wants it to be tightened. “The threshold of 250 workers determining the applicability of some protection provisions, such as the obligation to appoint a Data Protection Officer, would mean that only slightly under 40% of employees would be protected under this provision.” It suggests possibly making the threshold lower.

Two aspects the committee repeatedly criticizes are ‘vague wording’ and the number of ‘exceptions’. For example, “The exception at the end (‘unless this proves impossible or involves a disproportionate effort’) is unjustifiable and unacceptable;” and “The vague wording of the exception (‘compelling legitimate grounds’) is unacceptable and renders the right to object meaningless.”

The committee also feels that there are omissions. Search engines, for example, “should come expressis verbis within the scope of the regulation. The same should go for the sites of servers providing storage space and, in some cases, cloud computing software, that can collect data on users for commercial ends.” This could bring the EC in direct conflict with the likes of Google, Microsoft, Yahoo, Facebook and potentially Amazon – the combined economic strength of which is likely to be greater than many of the individual member states.

Like France, the EESC is also concerned that the right to be forgotten is also largely forgotten. ‘Expressis verbis’ “should also apply to personal information published on social networks, which, in accordance with the right to be forgotten, should allow data subjects to modify or erase such information or to request the deletion of their personal pages.”

Finally, the EESC criticizes the proposed ‘one-stop-shop’ for data protection contact. “For this one-stop-shop to work, the 1500 employees of data protection authorities in Europe will now cooperate more closely,” said EC vice-president Viviane Reding in May. But the EESC says this could “lead to a marked deterioration in data protection for the public in general, and in the protection of the personal data of workers in particular.” It concludes, there are “reasons in favour of jurisdiction remaining with the authority in the complainant's Member State of residence.”

What’s Hot on Infosecurity Magazine?