The EESC has formally published its Opinion on the ‘Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data’ (which it refers to as the General Data Protection Regulation). The EESC is one of the EU’s formal consultative bodies; it is a consultative assembly composed of employers, trade unions and representatives of various other interest groups.
Given the wide-ranging criticism of the proposals for the General Data Protection Regulation, and especially the reported opposition from certain influential EU governments, the EESC’s views may be of questionable relevance but, as a formal consultative body, its views will carry considerable weight. It is well worth noting that the balance of its recommendations call for wider protection and Google and cloud providers should pay the Opinion special attention. The relevant OJ entry is here.
The EESC’s conclusion and recommendations are as follows:
1.1 The EESC welcomes the general direction taken by the Commission, endorses the proposed choice of enabling provision and agrees in principle with the objectives of the proposal, which closely reflect a Committee opinion. In terms of the legal position of data protection, the EESC believes that the processing and transmission of data within the single market must comply with the right to protection of personal data as specified in Article 8 of the Charter of Fundamental Rights and Article 16(2) of the Treaty on the Functioning of the European Union.
1.2 The Committee is divided in its views as to whether a regulation is the best choice given the task in hand and calls on the Commission to do more to demonstrate and justify the reasons that make this instrument preferable to a directive, if not indispensable.
1.3 However, the Committee regrets the fact that the stated principles of the right to protection of personal data are qualified by an excessive number of exceptions and restrictions.
1.4 In the new context of the digital economy, the Committee shares the Commission’s opinion that, ‘individuals have the right to enjoy effective control over their personal information’ and considers that this right should be extended to cover the various purposes for which individual profiles are drawn up on the basis of data collected by numerous (legal and sometimes illegal) methods and its processing.
1.5 As this is a matter of fundamental rights, harmonisation by means of a regulation to cover specific areas should nevertheless leave Member States free to adopt provisions under national law in areas not covered, as well as provisions that are more favourable than those set out in the regulation.
1.6 Furthermore, when it comes to delegated acts, references to which appear almost everywhere, the Committee cannot accept those that do not fall within the express scope of Article 290 TFEU.
1.7 The Committee nevertheless welcomes the focus on creating a proper institutional framework to ensure that the legal provisions function effectively, both at company level (through data protection officers (DPOs)) and in Member States’ public administrations (through independent supervisory authorities) It would, however, have appreciated an approach from the Commission that was more in line with the real needs and expectations of the public and that applied more systematically to certain fields of economic and social activity in accordance with their nature.
1.8 The EESC considers that several improvements and clarifications can be made to the proposed text. It gives some detailed examples in this opinion in relation to a number of articles, helping to provide a better definition of rights, of stronger protection for the public in general and of workers in particular, of the nature of consent, of the lawfulness of processing and, in particular, of the duties of data protection officers and data processing in the context of employment.
1.9 The EESC also considers that some aspects that have not been addressed should be included, not least the need to broaden the scope of the regulation, the processing of sensitive data and collective actions.
1.10 In this respect, the EESC believes that search engines, the majority of whose revenue comes from targeted advertising thanks to their collection of personal data concerning the visitors to their sites, or indeed the profiling of those visitors, should come expressis verbis within the scope of the regulation. The same should go for the sites of servers providing storage space and, in some cases, cloud computing software, that can collect data on users for commercial ends.
1.11 The same should also apply to personal information published on social networks, which, in accordance with the right to be forgotten, should allow data subjects to modify or erase such information or to request the deletion of their personal pages as well as links to other high-traffic sites where that information is reproduced or discussed. Article 9 should be amended to that end.
1.12 Lastly, the EESC calls on the Commission to reconsider certain aspects of the proposal that it deems unacceptable, in sensitive areas such as child protection, the right to object, profiling, certain restrictions to the rights granted, the threshold of 250 workers for the appointment of a DPO and the way in which a one-stop shop is organised.