Accessibility Tools

Data Protection and the EU institutions


Data Protection and the EU institutions

15 March 2017, By Giovanni Buttarelli

A new generation of data protection standards is being promulgated by the European Union. Almost one year ago, the adoption of the General Data Protection Regulation (GDPR) and the Directive for the police and justice sectors represented the most ambitious endeavour of the EU legislator so far to secure the fundamental rights of the individual in the digital era. 

Now is the time for EU institutions themselves to lead by example in the rules that they apply to themselves as  controllers and processors. Over the past 18 months the EDPS has initiated dialogue with EU institutions at the highest level to prepare them for the new challenges on data protection compliance, emphasising the new principle of accountability for how data is processed.  

With our Opinion, the EDPS aims to bring the experience of twelve years of independent supervision, policy advice and advocacy in suggesting improvements to the proposed Regulation on personal data processing by EU institutions and bodies.

Regulation 45/2001 has served as a bellwether providing directly applicable obligations for controllers, rights for data subjects and a clearly independent supervisory body. The EU now must ensure consistency with the GDPR through an emphasis on accountability and safeguards for individuals rather than procedures. Some divergence of rules applicable to EU institutions data processing is justifiable, in the same way as public sector exceptions have been included in the GDPR, but this must be kept to a minimum. 

Essential however, from the perspective of the individual, is that the common principles throughout the EU data protection framework be applied consistently irrespective of who happens to be the controller.  It is also essential that the whole framework is applicable at the same time, that the GDPR becomes fully applicable in May 2018.
 
The EDPS was consulted by the Commission on the draft proposal in line with a long-standing arrangement between our institutions. Overall, we consider that the Commission has achieved a good balance of the various interests at stake.

Our Opinion sets out a number of areas in which the proposal could be further improved. We argue for improvements to the proposed regulation, particularly regarding the restrictions to the rights of the data subject and provision for EU institutions to use certification mechanisms in certain contexts. 

With respect to our own tasks and powers as an independent body, the proposal appears to strike a reasonable balance and to reflect the normal functions of an independent data protection authority under the Charter of Fundamental Rights and as reaffirmed in recent case law from the CJEU, whether as enforcer, complaints handler and adviser to the legislator on policies affecting data protection and privacy. 

We encourage the EU legislator to reach agreement on the proposal as swiftly as possible so as to allow EU institutions to benefit from a reasonable transition period before the new Regulation becomes applicable.

All blogposts

  • 25 March 2017

    60th anniversary of the Rome Treaties. Giovanni Buttarelli to participate in the meeting of the 27 EU heads of state and heads of European Union institutions in Rome, Italy.

  • 15 March 2017

    Data Protection and the EU institutions. Read the latest blogpost by Giovanni Buttarelli and the EDPS Opinion.

  • 15 March 2017

    EDPS sees opportunity for stronger consumer and data protection. Read the EDPS Opinion and the press release.

  • 13 March 2017

    2018 International Conference of Data Protection and Privacy Commissioners to be hosted in Brussels. Read the press statement.

  • 07 March 2017

    EDPS calls for consistent improvements in the approach to EU border policy. Read the EDPS Opinion and the press release.

  • 28 March 2017

    Giovanni Buttarelli meeting with Greg Nojeim, Senior Counsel and Director, Freedom, Security and Technology Project, Center for Democracy & Technology (CDT), Brussels, Belgium

  • 28 March 2017

    Giovanni Buttarelli meeting with Cornelia Ernst, MEP, Brussels, Belgium

  • 27 March 2017

    Processing of personal data  by the Union institutions, bodies, offices and agencies, Study group meeting, EESC, Participation of Giovanni Buttarelli, Brussels Belgium

  • 25 March 2017

    60th anniversary of the Rome Treaties, Participation of Giovanni Buttarelli in the meeting of the 27 EU heads of state and heads of European Union institutions, Rome, Italy

  • 23 March 2017

    Forum on International Privacy Law, Participation of Wojciech Wiewiórowski, Königstein, Germany

  • 23 March 2017

    Participation of Giovanni Buttarelli in DAPIX, Brussels, Belgium

  • 23 March 2017

    Concurrences Review, Law & Economics Workshop: Big Data, Speech by Giovanni Buttarelli, Brussels, Belgium

  • 13 March 2017

    Regulating Privacy through Ethical Standards and Accountability Principles in the era of Big Data, Keynote speech of Wojciech Wiewiórowski: Towards a new digital ethics – data, dignity and technology: How to ensure accountability in personal data management?, Brussels, Belgium