Data protection: Jan Philipp Albrecht

Consistency is the watchword as the EU strives to update its data protection rules, writes Jan Philipp Albrecht

The discussion of the new data protection regulation proposed by the European commission in January has made progress in both the EU institutions and member states. The reform package incorporates to a great extent parliament’s recommendations from July 2011 on adopting a comprehensive approach, strengthening individuals’ rights, further advancing the internal market dimension and ensuring better enforcement of data protection rules, and strengthening the global dimension.

Discussions on issues, such as delegated and implementing acts, administrative burdens and the ‘consistency mechanism’ are still ongoing across the institutions. The next six months will be the hot phase on finding the right solutions in the parliament and council. An orientation vote in the lead committee on civil liberties, justice and home affairs (LIBE) is foreseen in April 2013, allowing for a start of negotiations during the Irish EU council presidency. The committees have asked for an opinion and are planning their work accordingly. Due to the urgent need for a coherent legal framework in the fast evolving environment, the aim of the LIBE rapporteur and the shadow rapporteurs is to achieve an agreement on the package with the council during this legislative term.

The definitions of ‘personal data’ and ‘data subject’ are key, because they determine the scope and effective application of the safeguards contained in the regulation to the various types of processing of personal data. The material scope of the regulation in this sense should be the same as in the current directive. As the data protection framework is an expression of a fundamental right, a limitation of the material scope is not in the hands of the legislator. However, legitimate concerns regarding specific business models can be addressed in different parts of the regulation, accordingly.

In order to reach the best level of data protection and enable new business models, we need to encourage the pseudonymous and anonymous use of services. Clearly defining ‘anonymity’ should also help data controllers understand when they are outside of the scope of the regulation. For the use of pseudonymous data, when the data controller is able to single out individual persons by a pseudonym, there could be alleviations with regard to obligations for the data controller.

Specific rights for the individual vis-à-vis the data controller have always been a basis of data protection. These are to be guaranteed, but also strengthened and clarified in order to match the challenges of the digital age and provide legal certainty for consumers and businesses. On the other hand, the proposed regulation can be simplified by merging those rights that are very similar, being two sides of the same coin. This will reduce administrative burdens for data controllers and make it easier for individuals to understand and exercise their rights.

For both the data subjects and the data controllers, legal certainty across the European Union is an important issue. Therefore, it will be important to reach a consistent application of the new data protection regulation. As this should not be done through a large amount of delegated and implementing acts which could be adopted as clarification of the basic act, the upcoming work will be focussed on reducing the open questions in the regulation and giving the data protection authorities the tools required to achieve consistency.

Jan Philipp Albrecht is parliament's rapporteur on the general data protection regulation